Seal is a decentralized secrets management (DSM) service that relies on access control policies defined and validated on Sui. Application developers and users can use Seal to secure sensitive data at rest on decentralized storage like Walrus, or on any other onchain / offchain storage.
Important
Seal Beta is in Testnet. Refer to the Seal Beta Terms of Service.
- Encryption and Decryption: Seal supports encryption of sensitive data using a secret sharing mechanism, where one can encrypt sensitive data using different public keys, and store those on Walrus or another storage. When needed, one can decrypt the encrypted parts using private keys generated by off-chain key servers (see below). Seal currently supports client-side encryption (CSE) where the application / user is responsible to encrypt and decrypt the data.
- Access control on Sui: Seal leverages Sui for controlling access to the decryption keys, and thus allows access control for the sensitive data itself. A user can achieve this by implementing an application specific Move package which must follow some Seal conventions. The application specific logic in the Move package controls when to allow or disallow access to a key, and this flexibility provides a way to realize a number of authorization scenarios. Refer to Seal design and Using Seal for details.
- Decentralized gatekeeping using off-chain servers: Seal key server is a simple and lightweight service which is queried by an application or user to validate the access control on Sui and to generate a identity-based private key which can be further used to decrypt the encrypted data. Different parties can operate their own Seal key servers, thus allowing users to realize
t-out-of-nthreshold encryption. In such a scenario,nis the number of total Seal key servers, andtis the threshold number of key servers that a user chooses for their use case. Seal does not require any specific key server to be used, and applications or users can choose their preferred key servers based on their trust assumptions or regulatory requirements. Refer to Seal design and Using Seal for details. - Seamless access: Applications can interact with Seal key servers using software development kits (SDKs). The typescript SDK is available through npm.
Note
Currently there are two separate Mysten Labs managed Testnet Seal key servers. Users can choose 1-out-of-1, 1-out-of-2 or 2-out-of-2 key servers for threshold encryption. More key servers managed by other parties would come online later. If you’re interested in operating one, reach out to the Sui Foundation or Mysten Labs team.
There are a number of Web3 use cases that could utilize Seal to secure sensitive data in a safe and scalable manner. Some of those are:
- Secure personal data on Walrus or some other storage, such that it’s only accessible by the user who uploaded it.
- Share secure content stored on Walrus or some other storage with a specific allowlist of users.
- Share gated content on a content subscription application with a verified list of subscribers.
- Realize end-to-end private messages using Sui and Walrus.
- Implement secure voting and MEV resilient trading in Move.
- and more…
We’re looking for community feedback on what other capabilities would make sense to add to Seal. Some options are:
- Realize a Seal key server with a Multi-party computation (MPC) committee.
- Support Server-side encryption (SSE) to allow decryption of the secret data by Seal key servers, as an alternative to, or an extension of, client-side encryption (CSE).
- Digital Right Management (DRM) to allow encryption and decryption on the client-side in a secure & trusted environment, similar to how popular streaming services like Netflix, Youtube, HBO etc. use the DRM technology.
Even though Seal is supposed to be a generic and flexible secret management service for a variety of use cases, following are not its supposed goals. We do not recommend using Seal for such use cases and instead ask that you look for a more relevant product / service.
- Seal is not a key management service like AWS KMS or any other such Web2 service, in the sense that Seal backends do not store any application or user specific keys. A Seal key server only stores its specific master key pair, where the master public key is used by users to encrypt sensitive data, and the master private key is used to derive identity-based keys to decrypt the data.
- Seal is not a privacy preserving technology like zkLogin. Instead Seal is supposed to be a collection of components allowing application developers and users to secure sensitive data on- or off-chain by using the security properties of threshold encryption, Sui, and Move.
- Seal should not be used to store highly sensitive data like a user’s wallet keys, or regulated personal data like PHI (personal health information), or any local / state / federal government-level secret data, or other data of similar sensitivity. Some advanced capabilities may be added to Seal in future to allow using it for some of such use cases, but those do not exist yet.
For questions about Seal, use case discussions, or integration support, contact the Seal team on Sui Discord.
