Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1481 Discussions

Seal - Unseal in the same enclave vs. in two different enclaves

Criston__Anna
New Contributor I
973 Views

Hi, I was wondering if there is any difference between unsealing a secret message in the same enclave that you used to seal it vs. in another enclave, signed with the same private key, in terms of security?

One thing I have read in the developer guide is that the smaller the enclave, the more secure, so I guess that manipulating the secret data before sealing and after unsealing in two different enclaves makes each enclave smaller than having one enclave that you reload (because they would not run in parallel, but the unsealing one after the sealing one is destroyed). Are there any other aspects I should consider in terms of security when choosing between having one or two enclave for sealing-unsealing?

Thanks,

Anna

1 Solution
JesusG_Intel
Moderator
971 Views

Hello Anna,


Your thinking is spot on with regard to using two enclaves instead of one. Notice that the SealUnseal sample in the SGX SDK uses two different enclaves. By using two enclaves you minimize the attack surface of each enclave.


View solution in original post

0 Kudos
1 Reply
JesusG_Intel
Moderator
972 Views

Hello Anna,


Your thinking is spot on with regard to using two enclaves instead of one. Notice that the SealUnseal sample in the SGX SDK uses two different enclaves. By using two enclaves you minimize the attack surface of each enclave.


0 Kudos
Reply