📃
Confidential Computing 101
HomeTechnologyTry CC!
  • Welcome
  • Confidential Computing
    • What is Confidential Computing
    • What problems Confidential Computing solves
      • Bare Metal
      • Docker
      • Kubernetes
      • Knative
    • Why Confidential Computing
    • How Confidential Computing works
      • Memory Encryption
      • Workload Attestation
      • Confidential Boot
      • Sealing / Binding
      • Secret Provisioning
    • Technology Overview
    • Cloud Service Providers
  • Technology in depth
    • Intel SGX
      • Getting Started
        • Bare Metal Server Installation
        • Enclave Development Environment
        • Intel SGX SDK Setup
      • Technology
        • 🎭Features
        • 💂Threat Model
        • 🆚Versions
        • 🟦Concepts
          • 🏦Memory Encryption
          • 👮Local and Remote Attestation
          • 🖼️DCAP-Attestation Framework
          • 🔑Secret Key Provisioning
      • enclaive Development Kit
        • 🏢Architecture
        • 🌪️Workflow
        • 🌍Tutorials
          • Azure DCdsv3, DCsv2, or DCsv3 Setup
          • Redis in cK8s
          • MongoDB in cK8s
          • K8s + HashiCorp Vault on Azure DCsv3
      • Vault Remote Attestation Plug-In
        • 🏃‍♂️Initialization
        • 👮Attestation
        • ⚙️Configuration
    • Intel TDX
      • Getting Started
        • Azure
        • AWS
        • GCP
      • Technology
        • History
          • VT
          • TME/MKTME
          • SGX
        • Features
        • Threat Model
        • Concepts
          • Architecture
            • TDX Module
          • Memory Encryption
            • Confidentiality and Integrity
            • Keys and Key Management
          • TD Partitioning
          • DCAP-Attestation
            • Overview
            • Platform Registration
            • Attestation Report
    • AMD SEV
      • Getting Started
        • Azure
        • AWS
        • GCP
      • Technology
        • History
        • Threat Model
        • SME Concepts
          • Use Models
        • SEV-SNP Concepts
          • Features
            • Integrity Threats
            • Reverse Map Table
            • Page Validation
            • Page States
            • Virtual Machine Privilege Levels
            • Interrupt/Exception Protection
            • Trusted Platform Information
            • TCB Versioning
            • VM Launch & Attestation
            • VM Migration
            • Side Channels
          • Use Cases
          • Architecture
            • Encrypted Memory
            • Key Management
          • Software Implications
    • ARM CC
      • Technology
        • Introduction
        • Threat Model
        • Design
        • Comparison
    • Attestation Methods
      • Raw Attestation
      • Raw Attestation with Secure-Boot
      • Raw Attestation with a vTPM
        • AMD Secure VM Service Module and vTPMs
      • Raw Attestation with paravirtualized TPM
  • Resources
    • Youtube
    • Github
    • Products
Powered by GitBook
On this page

Was this helpful?

  1. Confidential Computing
  2. How Confidential Computing works

Sealing / Binding

Sealing or binding is a concept in confidential computing that refers to the process of securely protecting and encrypting data within a trusted execution environment (TEE) or secure enclave. It allows sensitive data to be securely bound to the enclave's identity or state, ensuring its confidentiality and integrity.

Here's an overview of how sealing or binding works in confidential computing:

Data Encryption

Before sealing or binding, the sensitive data is typically encrypted using encryption keys that are generated and managed within the TEE or secure enclave. This encryption ensures the data remains confidential and protected even if the enclave's state is compromised.

Sealing Process

The sealing process involves associating the encrypted data with the enclave's identity or state. This linkage ensures that the sealed data can only be accessed or decrypted within the same or compatible enclave with the same identity or state.

Enclave Identity or State

The sealing process may bind the sealed data to specific attributes of the enclave, such as its measurement, cryptographic identity, or other security properties. This ensures that the data can only be accessed within an enclave that matches the specified attributes.

Key Management

The sealing process often involves the management of encryption keys used for sealing and unsealing data. These keys are securely stored within the enclave, safeguarded against unauthorized access or extraction.

Unsealing Process

When the enclave needs to access the sealed data, it goes through an unsealing process. This process verifies the enclave's identity or state compatibility with the sealed data and decrypts the data using the appropriate encryption keys.

Sealing or binding in confidential computing provides a mechanism to protect sensitive data and ensure its confidentiality and integrity within secure enclaves. It prevents unauthorized access or tampering of the data, even if the enclave's state is compromised. By associating the data with the enclave's identity or state, sealing enables secure storage, transmission, and processing of sensitive information in confidential computing environments.

Last updated 1 year ago

Was this helpful?