# SGX Sealing
Sealing is a technique of saving sensitive information to the untrusted disk. The
data is encrypted and can only be decrypted by the same enclave that sealed it.
The enclave is any software that operates in a trusted execution environment (TEE).
When sealing data on the disk with SGX, the enclave is encrypting it with its own
unique key that the processor creates by combining the enclave's measurement and
the processor's own root key. The key is unique to the enclave and the processor, so
the data can only be decrypted by the same enclave running on the same processor.
Check the following code example that demonstrates how to seal and unseal data
using the enclave.
```toml
[dependencies]
detee-sgx = { git = "https://gitea.detee.cloud/general/detee-sgx", features = ["sealing"] }
```
```rust
// Sealing
detee_sgx::SealingConfig::new()?.seal_data(vec![1, 2, 3, 4])?;
std::fs::write(path, sealed).map_err(Into::into)
// Un-sealing
let sealed = std::fs::read(path)?;
let serialized = detee_sgx::SealingConfig::new()?.un_seal_data(sealed)?;
```
This example relies on the `utils_lib`, that is present inside the docker image
that we provision, `detee/occlum:0.30.1-ubuntu20.04`. This library uses the `/dev/sgx`
device in runtime through IOCTL to interact with Occlum runtime to ask the processor
to generate the sealing key for the enclave.
## Use-cases for sealing
Sealing is useful when you want to save sensitive data to the disk so that it
persists between software restarts, but you don't want anybody except for your
software to be able to read it or tamper with it. For example, you can use sealing
to save the wallet key to the disk, or the database encryption key.
The only limitation is the performance of sealing big files. Since the sealing
process is simplified in the `detee-sgx` it works best for small files so we
recommend when sealing a lot of data to use the native tools, present for your
database or software and instead sealing only the encryption key.
