EnclaveSealData function (winenclaveapi.h)
Generates an encrypted binary large object (blob) from unencrypted data.
Syntax
HRESULT EnclaveSealData(
[in] const VOID *DataToEncrypt,
[in] UINT32 DataToEncryptSize,
[in] ENCLAVE_SEALING_IDENTITY_POLICY IdentityPolicy,
[in] UINT32 RuntimePolicy,
[out] PVOID ProtectedBlob,
[in] UINT32 BufferSize,
[out] UINT32 *ProtectedBlobSize
);
Parameters
[in] DataToEncrypt
A pointer to the data that you want to seal. This data can be stored either within the address range of the enclave or within the address range of the host process.
[in] DataToEncryptSize
The size of the data that you want to seal, in bytes.
[in] IdentityPolicy
A value that specifies how another enclave must be related to the enclave that calls EnclaveSealData for the enclave to unseal the data.
[in] RuntimePolicy
A value that indicates whether an enclave that runs with debugging turned on is permitted to unseal the data the this call to EnclaveSealData seals.
| Value | Meaning |
|---|---|
ENCLAVE_RUNTIME_POLICY_ALLOW_FULL_DEBUG1 |
If specified, indicates that an enclave that runs with debugging turned on is permitted to unseal the data. If not specified, indicates that an enclave that runs with debugging turned on is not permitted to unseal the data. This flag is automatically included if the calling enclave is running with debugging turned on. |
ENCLAVE_RUNTIME_POLICY_ALLOW_DYNAMIC_DEBUG2 |
If specified, indicates that an enclave that runs with dynamic debugging turned on is permitted to unseal the data. If not specified, indicates that an enclave that runs with dynamic debugging turned on is not permitted to unseal the data. This flag is automatically included if the calling enclave is running with dynamic debugging turned on. |
[out] ProtectedBlob
A pointer to a buffer where the sealed data should be placed. This data may be stored either within the address range of the enclave or within the address space of the host process. If this parameter is NULL, only the size of the protected blob is calculated.
[in] BufferSize
A pointer to a variable that holds the size of the buffer to which the ProtectedBlob parameter points. If ProtectedBlob is NULL, this value must be zero. If ProtectedBlob is not NULL, and if the size of the encrypted data is larger than this value, an error occurs.
[out] ProtectedBlobSize
A pointer to a variable that receives the actual size of the encrypted blob.
Return value
If this function succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.
Remarks
EnclaveSealData must be called from within an enclave, and is only supported within enclaves that have the ENCLAVE_TYPE_VBS enclave type.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 10, version 1709 [desktop apps only] |
| Minimum supported server | Windows Server 2016 [desktop apps only] |
| Target Platform | Windows |
| Header | winenclaveapi.h |
| Library | Vertdll.lib |
| DLL | Vertdll.dll |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for