We first need to understand two enclave-related identities. One is Enclave Identity, another one is Signing Identity. The Enclave Identity is represented by the value of MRENCLAVE , which is the cryptographic hash of the enclave log that goes through each step from building to initialization. The value of MRENCLAVE corresponds to a specific Enclave Identity. So, Enclave Identity is used to limit access to sealed data. In other words, only instances of that enclave access those sealed data. The value of MRENCLAVE will also change if the enclave is built in different versions. So when using Enclave Identity for sealing, the data sealed only corresponds to the relevant enclave instance, not multiple versions of the enclave.