EnclaveUnsealData function (winenclaveapi.h)
Decrypts an encrypted binary large object (blob).
Syntax
HRESULT EnclaveUnsealData(
[in] const VOID *ProtectedBlob,
[in] UINT32 ProtectedBlobSize,
[out] PVOID DecryptedData,
[in] UINT32 BufferSize,
[out] UINT32 *DecryptedDataSize,
[out, optional] ENCLAVE_IDENTITY *SealingIdentity,
[out, optional] UINT32 *UnsealingFlags
);
Parameters
[in] ProtectedBlob
A pointer to the sealed data to unseal. This data may be stored either within the address range of the enclave or within the address space of the host process
[in] ProtectedBlobSize
The size of the sealed data to unseal, in bytes.
[out] DecryptedData
A pointer to a buffer where the unencrypted data should be placed. This data may be stored either within the address range of the enclave or within the address space of the host process. If this parameter is NULL, only the size of the decrypted data is calculated.
[in] BufferSize
The size of the buffer to which the DecryptedData parameter points, in bytes. If DecryptedData is NULL, BufferSize must be zero. If DecryptedData is not NULL, and if the size of the decrypted data is larger than this value, an error is returned.
[out] DecryptedDataSize
A pointer to a variable that receives the actual size of the decrypted data, in bytes.
[out, optional] SealingIdentity
An optional pointer to a buffer that should be filled with the identity of the enclave that sealed the data. If this pointer is NULL, the identity of the sealing enclave is not returned.
[out, optional] UnsealingFlags
An optional pointer to a variable that receives zero or more of the following flags that describe the encrypted binary large object.
| Value | Meaning |
|---|---|
ENCLAVE_UNSEAL_FLAG_STALE_KEY1 |
The data was encrypted with a stale key. Sealing keys are rotated when required for security, and the system can only maintain a fixed number of recently known keys. An enclave that determines that data was encrypted with a stale key should re-encrypt the data with a current key to minimize the chances that the key used to encrypt the data is no longer maintained in the key list. |
Return value
If this function succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.
Remarks
The enclave that calls EnclaveUnsealData must meet the criteria that correspond to the value of the ENCLAVE_SEALING_IDENTITY_POLICY that was specified by the enclave that sealed the data by calling EnclaveSealData.
EnclaveUnsealData must be called from within an enclave, and is only supported within enclaves that have the ENCLAVE_TYPE_VBS enclave type.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 10, version 1709 [desktop apps only] |
| Minimum supported server | Windows Server 2016 [desktop apps only] |
| Target Platform | Windows |
| Header | winenclaveapi.h |
| Library | Vertdll.lib |
| DLL | Vertdll.dll |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for