You can seal/encrypt keys/other data inside an enclave and then save the encrypted blob to disk. By default, the sealed data will only be accessible by the enclave that created the encrypted blob. You can read a brief introduction about this here: https://software.intel.com/en-us/blogs/2016/05/04/introduction-to-intel-sgx-sealing
thank you Scott
so if i seal the keys inside enclave and save it as a sealed blob to disk.
will this assure me that the key will not be readable/accessible to any other cpu/sgx-system, In case if some one take the saved blob to different machine.
does this technique guarantee me in meeting the protection level that i have to give, for storing keys like HDCP.
Hi again Abdusamad.
That is correct, the seal key used by your enclave is, by default, only available to your enclave on that particular CPU. No other enclave running on that same CPU, nor your enclave running on another CPU, would have access to that same seal key and therefore be able to decrypt your data.
Yes, it can be used to give you that level of security. But, you need to be aware that because of that level of security, if you seal data with the seal key, and something happens to that CPU (the user's system dies, etc.), then even if you have access to the sealed data, you would never be able to decrypt it again. If you're ok with that, meaning you could re-supply the encrypted data to the user in some fashion, then this will work for you.
But, as an FYI, the way the sealed key is generally used is to seal server provided/provisioned keys, after your enclave has gone through the SGX remote attestation (RA) process. This way, if something happened to that platform, the data could still be decrypted on another platform after that platform went through SGX RA and the encryption/decryption keys were re-provisioned from the server. For more information about SGX RA, including a working code sample, please see this link: