Mysten Labs Launches Seal Decentralized Secrets Management on Testnet

Mysten Labs' newest creation, Seal, is a decentralized secrets management service offering asymmetric encryption security for a wide range of uses and app integrations. Combining onchain access policies with offchain services generating decryption keys, Seal encrypts content while ensuring accessibility by authorized parties. 

Seal was launched on Sui Testnet, letting builders familiarize themselves with the system and explore integration with their apps.

Despite the large amount of on-chain data requiring security, the available solutions tend to be use case-specific, such as wallet services, or Web2-based, such as AWS KMS and GCP Cloud KMS. Seal offers builders a generalized solution that is safe, scalable, and performant. Seal can be used to control access for data stored just about anywhere, giving it wide utility. 

Seal components

The Seal architecture uses offchain backend services that generate identity-based decryption keys along with providing a corresponding public encryption key. An app could choose t-out-of-n backend services as part of the threshold encryption mechanism. The user decrypts content on the client-side with their identity-based key through the Seal SDK that interacts with the backend services. 

The Seal client operates in conjunction with an onchain Seal policy, defined and managed using Move on Sui, dictating the access structure. The policy maps when a user can access an identity-based key, or who can access that key. These onchain policies can be configured for a wide range of rules that can apply to many use cases.

Use cases

Builders developing on Seal will come up with many ways to incorporate its flexible security architecture. Here are a few examples for how Seal can secure sensitive data in a safe and scalable manner:

• Secure personal data on Walrus or some other storage infrastructure, such that it’s only accessible by the user who uploaded it.

• Use time-lock encryption to transfer ownership of NFTs or other assets to another user within a specific time window.

• Share secure content stored on Walrus or some other storage infrastructure for a specific set of users defined in an allowlist. 

• Publish gated content on a content subscription application for a verified list of subscribers.

• Develop a chat app for end-to-end private messages using Sui and Walrus.

Builders interested in seeing a working app can check out this marketplace app (code) using Sui, Walrus, and Seal, showcasing allowlist and subscription-based access.

Building for security

Seal's initial Testnet release focuses on end-to-end flows for developers and users. This release will not only allow for thorough testing of Seal's primary functionality, but will also serve to gather community feedback. This process will ensure Seal operates in a manner which serves its users.

Feedback will also determine Seal's future development, as there are many features which can enhance its usefulness. Some potential directions for Seal development include:

• Multi-party computation: Allow a multi-party computation (MPC) committee to operate a Seal backend using a t-out-of-n distributed key. 

• Server-side encryption: As an alternative to client-side encryption, allow decryption of data by Seal backends, letting builders create thin front-ends. 

• Digital rights management: Allow decryption on the client-side in a secure and trusted environment to ensure digital rights management (DRM), similar to how popular services such as Netflix, YouTube, and HBO use DRM technology.

Builders interested in Seal can check out the docs and begin exploring the SDK to build apps using its Testnet deployment.