Sealing / Binding

Before sealing or binding, the sensitive data is typically encrypted using encryption keys that are generated and managed within the TEE or secure enclave. This encryption ensures the data remains confidential and protected even if the enclave's state is compromised.

The sealing process involves associating the encrypted data with the enclave's identity or state. This linkage ensures that the sealed data can only be accessed or decrypted within the same or compatible enclave with the same identity or state.

The sealing process may bind the sealed data to specific attributes of the enclave, such as its measurement, cryptographic identity, or other security properties. This ensures that the data can only be accessed within an enclave that matches the specified attributes.

The sealing process often involves the management of encryption keys used for sealing and unsealing data. These keys are securely stored within the enclave, safeguarded against unauthorized access or extraction.

When the enclave needs to access the sealed data, it goes through an unsealing process. This process verifies the enclave's identity or state compatibility with the sealed data and decrypts the data using the appropriate encryption keys.