Before the Intel SGX technology, the hardware platform was never part of the TCB for encrypting user data. This allowed the user to easily migrate their data, even if it was encrypted, from one platform to another. Now the CPU is used to help determine the enclave’s sealing key. Therefore, migrating a user’s data from one platform to the next now requires careful planning.
If an application is moved from an old Intel SGX system to a new Intel SGX system (platform upgrade) or from one processor to another (CPU replacement in a system or load balancing in a cloud environment) the enclave will not be able to unseal the data in the new platform. Data migration typically requires a back-end server that verifies the identity of the enclave on the old system and the enclave on the new system, and facilitates the key exchange between the two systems to share the data. Regardless of the specific method that an ISV uses to migrate data, the seal key should not be shared outside an enclave because it could compromise all data previously sealed by the enclave.