Article ID: 000059845 Content Type: Product Information & Documentation Last Reviewed: 07/12/2021

Is it Possible to Prevent any Application from Unsealing data if it loads the Intel® Software Guard Extensions (Intel® SGX) Enclave that Sealed the data?


Example method to prevent an enclave from returning unsealed data to the calling application


Unable to determine how to prevent an attacker from accessing unsealed data if it loads the enclave that originally sealed the data.


Implement a policy for checking a shared secret between the untrusted application and the enclave before the enclave returns the unsealed data.

Example policy:

  1. Create and seal a payload structure that includes a secret and the data.
  2. When unsealing the payload, the untrusted application provides the enclave the secret that was originally sealed with the data.
  3. The enclave compares the provided secret to the original secret that it sealed.
  4. If the secrets match, the enclave returns the data to the untrusted application.
Additional information

Refer to the Sealed Data section in the Intel SGX SDK Developer Reference Guide for Windows* for more information on preventing replay attacks.