diff --git a/examples/sealing.rs b/examples/sealing.rs
index 9cfadb1..c659b5d 100644
--- a/examples/sealing.rs
+++ b/examples/sealing.rs
@@ -5,7 +5,7 @@ fn main() {
     let text = "sealed text";
     let additional_text = "additional";
     let sealed_data =
-        SgxSealedData::seal_data(additional_text.as_bytes(), text.as_bytes()).unwrap();
+        SgxSealedData::<[u8]>::seal_data(additional_text.as_bytes(), text.as_bytes()).unwrap();
     let unsealed_data = SgxSealedData::unseal_data(&sealed_data).unwrap();
     let text: &str = unsealed_data.get_decrypt_text();
     println!("Unsealed text: {}", text);
diff --git a/src/bindings.rs b/src/bindings.rs
index b104d01..51bc275 100644
--- a/src/bindings.rs
+++ b/src/bindings.rs
@@ -1951,23 +1951,24 @@ const _: () = {
         [::std::mem::offset_of!(_tee_supp_data_descriptor_t, p_data) - 8usize];
 };
 pub type tee_supp_data_descriptor_t = _tee_supp_data_descriptor_t;
+pub type int8_t = i8;
+pub type int16_t = i16;
+pub type int32_t = i32;
+pub type int64_t = i64;
+pub type uint8_t = u8;
+pub type uint16_t = u16;
+pub type uint32_t = u32;
+pub type uint64_t = u64;
+pub type size_t = usize;
 extern "C" {
     pub fn dcap_quote_open() -> *mut ::std::os::raw::c_void;
-}
-extern "C" {
     pub fn dcap_get_quote_size(handle: *mut ::std::os::raw::c_void) -> u32;
-}
-extern "C" {
     pub fn dcap_generate_quote(
         handle: *mut ::std::os::raw::c_void,
         quote_buf: *mut u8,
         report_data: *const sgx_report_data_t,
     ) -> i32;
-}
-extern "C" {
     pub fn dcap_get_supplemental_data_size(handle: *mut ::std::os::raw::c_void) -> u32;
-}
-extern "C" {
     pub fn dcap_verify_quote(
         handle: *mut ::std::os::raw::c_void,
         quote_buf: *const u8,
@@ -1977,8 +1978,11 @@ extern "C" {
         supplemental_data_size: u32,
         supplemental_data: *mut u8,
     ) -> i32;
-}
-extern "C" {
+    pub fn dcap_generate_key(
+        handle: *mut ::std::os::raw::c_void,
+        key: *mut sgx_key_128bit_t,
+        key_request: *const sgx_key_request_t,
+    ) -> i32;
     pub fn dcap_quote_close(handle: *mut ::std::os::raw::c_void);
 }
 #[repr(C)]
diff --git a/src/quote.rs b/src/quote.rs
index dda9adb..a00b924 100644
--- a/src/quote.rs
+++ b/src/quote.rs
@@ -7,6 +7,50 @@ use std::ops::Deref;
 use std::sync::Mutex;
 use std::time::Instant;
 
+pub const SGX_FLAGS_INITTED: uint64_t = 0x0000_0000_0000_0001; //If set, then the enclave is initialized
+pub const SGX_FLAGS_DEBUG: uint64_t = 0x0000_0000_0000_0002; //If set, then the enclave is debug
+pub const SGX_FLAGS_MODE64BIT: uint64_t = 0x0000_0000_0000_0004; //If set, then the enclave is 64 bit
+pub const SGX_FLAGS_PROVISION_KEY: uint64_t = 0x0000_0000_0000_0010; //If set, then the enclave has access to provision key
+pub const SGX_FLAGS_EINITTOKEN_KEY: uint64_t = 0x0000_0000_0000_0020; //If set, then the enclave has access to EINITTOKEN key
+pub const SGX_FLAGS_KSS: uint64_t = 0x0000_0000_0000_0080; //If set enclave uses KSS
+pub const SGX_FLAGS_AEX_NOTIFY: uint64_t = 0x0000_0000_0000_0400; //If set, then the enclave enables AEX Notify
+pub const FLAGS_NON_SECURITY_BITS: uint64_t = 0x00FF_FFFF_FFFF_FFC0
+    | SGX_FLAGS_MODE64BIT
+    | SGX_FLAGS_PROVISION_KEY
+    | SGX_FLAGS_EINITTOKEN_KEY;
+pub const TSEAL_DEFAULT_FLAGSMASK: uint64_t = !FLAGS_NON_SECURITY_BITS;
+pub const FLAGS_SECURITY_BITS_RESERVED: uint64_t =
+    !(FLAGS_NON_SECURITY_BITS | SGX_FLAGS_INITTED | SGX_FLAGS_DEBUG | SGX_FLAGS_KSS);
+pub const MISC_NON_SECURITY_BITS: uint32_t = 0x0FFF_FFFF;
+pub const TSEAL_DEFAULT_MISCMASK: uint32_t = !MISC_NON_SECURITY_BITS;
+
+// TODO Intel sgx sdk 2.4
+pub const SGX_KEYSELECT_LICENSE: uint16_t = 0x0000;
+pub const SGX_KEYSELECT_PROVISION: uint16_t = 0x0001;
+pub const SGX_KEYSELECT_PROVISION_SEAL: uint16_t = 0x0002;
+pub const SGX_KEYSELECT_REPORT: uint16_t = 0x0003;
+pub const SGX_KEYSELECT_SEAL: uint16_t = 0x0004;
+
+// Key Policy
+pub const SGX_KEYPOLICY_MRENCLAVE: uint16_t = 0x0001; /* Derive key using the enclave's ENCLAVE measurement register */
+pub const SGX_KEYPOLICY_MRSIGNER: uint16_t = 0x0002; /* Derive key using the enclave's SINGER measurement register */
+pub const SGX_KEYPOLICY_NOISVPRODID: uint16_t = 0x0004; /* Derive key without the enclave's ISVPRODID */
+pub const SGX_KEYPOLICY_CONFIGID: uint16_t = 0x0008; /* Derive key with the enclave's CONFIGID */
+pub const SGX_KEYPOLICY_ISVFAMILYID: uint16_t = 0x0010; /* Derive key with the enclave's ISVFAMILYID */
+pub const SGX_KEYPOLICY_ISVEXTPRODID: uint16_t = 0x0020; /* Derive key with the enclave's ISVEXTPRODID */
+
+pub const SGX_KEYID_SIZE: size_t = 32;
+pub const SGX_CPUSVN_SIZE: size_t = 16;
+pub const SGX_CONFIGID_SIZE: size_t = 64;
+pub const SGX_KEY_REQUEST_RESERVED2_BYTES: size_t = 434;
+
+pub enum SealingKeyPolicy {
+    MrSigner,
+    MrEnclave,
+}
+
+pub type Sgx128BitKey = sgx_key_128bit_t;
+
 pub struct Quote {
     buf: Vec<u8>,
     report_body: *const sgx_report_body_t,
@@ -277,6 +321,58 @@ impl IoctlClient {
 
         Ok(result.into())
     }
+
+    /// Generate a sealing key for the given policy and SGX report
+    /// The sealing key is used to encrypt/decrypt data in the enclave
+    /// The quote must be previously generated using the `generate_quote`
+    fn generate_sealing_key(
+        &mut self,
+        quote: &Quote,
+        policy: SealingKeyPolicy,
+    ) -> Result<Sgx128BitKey, RaTlsError> {
+        let report_body = unsafe { *quote.report_body };
+        let mut key_policy = match policy {
+            SealingKeyPolicy::MrSigner => SGX_KEYPOLICY_MRSIGNER,
+            SealingKeyPolicy::MrEnclave => SGX_KEYPOLICY_MRENCLAVE,
+        };
+
+        if (report_body.attributes.flags & SGX_FLAGS_KSS) != 0 {
+            const KEY_POLICY_KSS: uint16_t =
+                SGX_KEYPOLICY_CONFIGID | SGX_KEYPOLICY_ISVFAMILYID | SGX_KEYPOLICY_ISVEXTPRODID;
+            key_policy = key_policy | KEY_POLICY_KSS;
+        }
+
+        // Intel sgx sdk 1.8
+        let attribute_mask = sgx_attributes_t {
+            flags: TSEAL_DEFAULT_FLAGSMASK,
+            xfrm: 0,
+        };
+
+        let misc_mask: sgx_misc_select_t = TSEAL_DEFAULT_MISCMASK;
+
+        let mut key = sgx_key_128bit_t::default();
+        let key_request = sgx_key_request_t {
+            key_name: SGX_KEYSELECT_SEAL,
+            key_policy,
+            isv_svn: report_body.isv_svn,
+            reserved1: 0_u16,
+            cpu_svn: report_body.cpu_svn,
+            attribute_mask,
+            key_id,
+            misc_mask,
+            config_svn: report_body.config_svn,
+            reserved2: [0_u8; SGX_KEY_REQUEST_RESERVED2_BYTES],
+        };
+
+        let ret_code = unsafe { dcap_generate_key(self.handle()?, &mut key, &key_request) };
+        if ret_code < 0 {
+            return Err(RaTlsError::DcapError(
+                "Failed to generate DCAP sealing key".to_string(),
+            ));
+        }
+
+        Ok(key)
+    }
 }
 
 impl Drop for IoctlClient {
diff --git a/src/sealing.rs b/src/sealing.rs
new file mode 100644
index 0000000..9acdf8b
--- /dev/null
+++ b/src/sealing.rs
@@ -0,0 +1,2 @@
+#[cfg(feature = "occlum")]
+use crate::quote::{Quote, STATIC_QUOTE};