SGX data sealing
In SGX, when an enclave is destroyed or closed, the secrets provisioned to the enclave are lost, which is the safest way to ensure privacy. However when data needs to be preserved for future use within an enclave, then it must be stored outside the enclave boundary before closing the enclave. In order to protect and preserve the data, a mechanism is in place which allows an enclave software to retrieve a key unique to that enclave. This key can only be generated by that enclave on that particular platform. Enclave softwares use that key to encrypt data to the platform or to decrypt data already on the platform. SGX refers to these encrypt and decrypt operations as sealing and unsealing.
In BlindAI we bind the MRENCLAVE to the sealing key. This means that only an enclave with the same MRENCLAVE, and therefore the same code, will be able to generate the key to unseal the data. Similarly if any attribute related to the enclave changes, the MRENCLAVE will change as well and the sealed data will not be decryptable.
Model sealing in BlindAI
When you upload a model on a BlindAI server instance, it is sealed by default, which means that the model will be serialized, encrypted, and saved on the server's machine. At start up, BlindAI will unseal previously saved models so that you don't have to re-upload them at each server restart.
if you want to upload a model without sealing it you can specify it at the upload like so :