Seven Layer
SCSA Vault

Sealing a file

How to seal and open files with SCSA Vault.

Seal a file

  1. Open SCSA Vault.
  2. Drag a file (or folder) onto the window, or click Seal.
  3. Choose what to bind to: CPU, GPU, or both (see Hardware binding).
  4. Optionally add a passphrase as a second factor on top of the hardware binding.
  5. Vault writes a sealed .scsa file next to the original. The original is left untouched — delete it yourself once you have verified the sealed copy opens.

The sealed file is ciphertext bound to the machine's measurement. On any other machine it contains nothing recoverable.

Open a sealed file

  1. On the same machine it was sealed to, drag the .scsa file onto Vault.
  2. Vault re-measures the hardware and derives the key. If the measurement matches, the file decrypts.
  3. If you set a passphrase, enter it — it is required in addition to the hardware match, never instead of it.

A sealed file opens only on the hardware it was bound to. If you need a file on a second machine, seal a copy to that machine as well, or use a GPU binding on an attested GPU both machines can reach.

What a seal contains

  • Ciphertext under an AEAD cipher, keyed by a hardware-derived key.
  • The binding policy (CPU / GPU / both, passphrase on/off).
  • No plaintext, and no copy of the key.

On this page