Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.
1218 Discussions

Seal - Unseal in the same enclave vs. in two different enclaves

Criston__Anna
New Contributor I
253 Views

Hi, I was wondering if there is any difference between unsealing a secret message in the same enclave that you used to seal it vs. in another enclave, signed with the same private key, in terms of security?

One thing I have read in the developer guide is that the smaller the enclave, the more secure, so I guess that manipulating the secret data before sealing and after unsealing in two different enclaves makes each enclave smaller than having one enclave that you reload (because they would not run in parallel, but the unsealing one after the sealing one is destroyed). Are there any other aspects I should consider in terms of security when choosing between having one or two enclave for sealing-unsealing?

Thanks,

Anna

1 Solution
JesusG_Intel
Moderator
251 Views

Hello Anna,


Your thinking is spot on with regard to using two enclaves instead of one. Notice that the SealUnseal sample in the SGX SDK uses two different enclaves. By using two enclaves you minimize the attack surface of each enclave.


View solution in original post

1 Reply
JesusG_Intel
Moderator
252 Views

Hello Anna,


Your thinking is spot on with regard to using two enclaves instead of one. Notice that the SealUnseal sample in the SGX SDK uses two different enclaves. By using two enclaves you minimize the attack surface of each enclave.


View solution in original post

Reply