dstack

dstack

Own your confidential cloud.

Open-source TEE infrastructure for apps, agents, and private AI without cryptography overhead.

LINUX
FOUNDATION
dstack
Phala
Google
AWS
DeepWiki GitHub
cloud.dstack.dev

Instances

Confidential workloads

Search instances...

Sessions by instance

completeactiveerror
prodstageagentgpudatatraindevedge
NameTypeRegionSessionsLast usedStatus
prod-tee-01H100 80GBUS-West-23472 minActive
staging-vm-04Intel TDX 16vCPUEU-Central-12188 minActive
ai-agent-m2AMD SEV-SNP 8vCPUUS-East-115612 minActive
inference-gpu-3H100 80GBUS-West-214215 minActive

Runtime path

Architecture guarantees

dstack turns TEE hardware into a verifiable runtime path before peers, keys, or traffic are trusted.

01

Code Integrity

02

Data Confidentiality

03

Workload Identity

Bare Metal HostExternal UsersbrowserAPI clientagentGateway CVMdstack-gatewayGateway Serviceport 9202dstack-vmmHost Serviceport 9080create / manageApplication CVMGuest AgentDstackGuestRpcUnix Socket/var/run/dstack.sockDocker ContainerYour applicationKMS CVMdstack-kmsKMS Serviceport 9201Ethereum BlockchainDstackKmsDstackAppContractsHTTPSWireGuard VPNCreate / ManageBoot AuthorizationKey RequestRA-TLSAuthorization QuerySource: External Users → Gateway → VMM → App CVM / KMS CVM → Blockchain, from dstack_overview.mmd.

01

External users

HTTPS traffic enters through the gateway boundary.

02

Gateway CVM

dstack-gateway terminates public access and routes over WireGuard.

03

VMM

dstack-vmm creates and manages application CVMs on the host.

04

Application CVM

Guest Agent exposes the dstack socket to Docker workloads.

05

KMS CVM

dstack-kms verifies attestation before releasing secrets.

06

Blockchain policy

DstackKms and DstackApp contracts define authorization state.

07

Trust path

RA-TLS and key requests bind runtime state to access.

Read design docs

Why Dstack

dstack is the full developer stack around TEE hardware: Docker-native launch, reproducible runtime state, attested keys, gateway access, GPU support, and governance.

01

Zero friction onboarding

Bring Docker Compose as-is.

dstack uses full-VM isolation, so teams can deploy an existing docker-compose.yaml without porting code into enclave-specific SDKs. Network traffic and disk state are encrypted by default.

compose
proof
policy

Confidential computing for AI

Hardware-backed TEEs with cryptographic verification

Active

42

Verified

98.7%

InstanceTypeTEEStatus
prod-inference-01H100 80GBVerifiedrunning
ml-training-04H200 141GBVerifiedrunning
data-pipeline-xIntel TDX 32vCPUVerifiedrunning
ai-agent-m2AMD SEV-SNP 16vCPUVerifiedrunning
staging-vm-09Intel TDX 8vCPUVerifiedidle

Trust Center

Inspectable proof graph.

Evidence objects connect the workload, source, image, event logs, hardware quote, KMS path, and gateway endpoint.

selected proof

Gateway attestation

status verified

report intel_quote

receipt gateway_app_id

Gateway

tls_endpoint

linked

Code

compose_hash

linked

OS Image

rtmr0..3

linked

KMS

app_key

linked

Logs

event_log

linked

02

Hardware-rooted security

Private by hardware, verifiable by anyone.

Intel TDX protects app memory from host operators. Reproducible OS images, workload identity, RTMR event logs, and attestation reports make the runtime state inspectable.

View Trust Center
compose
proof
policy

03

Trustless operations

Keys and upgrades follow policy.

Per-app keys are derived inside TEEs and released only after attestation passes. Code governance rules prevent operators from swapping workloads or extracting secrets.

compose
proof
policy

Policy lifecycle

Effective policy is enforced.

governed

GPU Marketplace

Reserve confidential GPU capacity and keep the proof path intact.

H100H200B300Available now

NVIDIA H100

NVIDIA CC

$2.18/hr

memory80GBregionus-east

TEE ready

NVIDIA H200

NVIDIA CC

$3.10/hr

memory141GBregionus-east

verified

NVIDIA B300

NVIDIA CC

$5.63/hr

memory288GBregionus-east

private AI

04

CPU and GPU TEEs

One runtime path for services and models.

Run CPU services and NVIDIA Confidential Computing GPUs under the same trust model, including H100 and Blackwell-class private AI workloads.

compose
proof
policy

05

Open source stack

Open code, visible audit trail.

dstack is an open-source Linux Foundation project with an audit surface developers can inspect: code, reproducible images, KMS behavior, gateway paths, and policy state.

compose
proof
policy

audit report

dstack security review

PDF

Comparison

Hardware primitive vs full stack.

Cloud providers give you the TEE hardware primitive. dstack adds the reproducible OS, automatic attestation, per-app key derivation, TLS certificates, and smart contract governance.

Approach
Docker native
GPU TEE
Key management
Attestation tooling
Open source

dstack

Full open-source stack

AWS Nitro Enclaves

Hardware primitive

manual
manual

Azure Confidential VMs

Cloud platform primitive

preview
manual
manual

GCP Confidential Computing

Cloud platform primitive

manual
manual
No vendor lock-in
Bring Docker apps
Verify before trust

Start building

Build a confidential cloud you can inspect.

Use the repo when you want ownership. Use Phala Cloud when you want managed capacity. Keep GitHub, DeepWiki, and docs one click away.

GitHub DeepWikiDocs

self-hosted

dstack-cloud

Run dstack control plane for your own hosts, AWS, GCP, or BYOH path.

AWS path

Nitro support

Use the Nitro Enclave support repo when AWS is the deployment boundary.