Secure enclaves like AWS Nitro Enclaves have some really cool properties that are used here:<p>- memory protection and isolation for Vault while it's running<p>- unsealing without the parent host getting the key (can't be observed)<p>- having an unseal key that can't be used unless inside the enclave via cryptographic attestation