sealed key
also: TPM-sealed key, sealed encryption key, bound key
A cryptographic key that is bound to a specific system's hardware or firmware state, accessible only when that state matches, preventing the key from being used if the system is compromised or modified.
A sealed key is a security mechanism where a cryptographic key is encrypted and locked to specific hardware or firmware measurements on a Linux system. The key can only be decrypted and used when the system's current state (verified through measurements like TPM PCR values) matches the sealed state.
This is commonly implemented using Trusted Platform Module (TPM) functionality. For example, a disk encryption key might be sealed to the bootloader, kernel, and initramfs measurements, so it only unseals during a legitimate boot sequence. If an attacker modifies the bootloader or kernel, the PCR values change and the key remains inaccessible.
Sealed keys are essential in attestation and full disk encryption scenarios, particularly with tools like systemd-cryptsetup with TPM2, tpm2-tools, and clevis. They help protect against offline attacks and ensure keys are only available in trusted system states.