dstack

Own your confidential cloud.

Run Confidential AI and private inference in confidential VMs. dstack verifies the machine before it releases keys, so users can check what code is running.

bare metal

Intel TDX

AMD SEV-SNP

cloud

GCP TDX + TPM

AWS Nitro NSM

accelerators

NVIDIA Hopper / Blackwell CC

attestation.dstack

Runtime proof

Verify before key release.

dstack binds the compose file, OS image, hardware report, and KMS policy to one app identity.

image

pinned

quote

fresh

tcb

policy

key

sealed

01

compose

8df2...ad91

normalized hash

02

platform

verified

TDX / SNP / TPM / NSM

03

kms

allowed

policy-gated key release

04

gateway

bound

RA-TLS endpoint proof

accepted: TDX / SEV-SNP / TPM / NSM / NVIDIA CC

Runtime path

Architecture guarantees

dstack turns TEE hardware and cloud attestation evidence into a verifiable runtime path before peers, keys, or traffic are trusted.

01

Code Integrity

02

Data Confidentiality

03

Workload Identity

Bare Metal HostExternal UsersbrowserAPI clientagentGateway CVMdstack-gatewayGateway Serviceport 9202dstack-vmmHost Serviceport 9080create / manageApplication CVMGuest AgentDstackGuestRpcUnix Socket/var/run/dstack.sockApp ContainerYour applicationKMS CVMdstack-kmsKMS Serviceport 9201Ethereum BlockchainDstackKmsDstackAppContractsHTTPSWireGuard VPNCreate / ManageBoot AuthorizationKey RequestRA-TLSAuthorization QuerySource: External Users → Gateway → VMM → App CVM / KMS CVM → Blockchain, from dstack_overview.mmd.

01

External users

HTTPS traffic enters through the gateway boundary.

02

Gateway CVM

dstack-gateway terminates public access and routes over WireGuard.

03

VMM

dstack-vmm creates and manages application CVMs on the host.

04

Application CVM

Guest Agent exposes the dstack API to workloads.

05

KMS CVM

dstack-kms verifies attestation before releasing secrets.

06

Blockchain policy

DstackKms and DstackApp contracts define authorization state.

07

Trust path

RA-TLS, compose hash, and key requests bind runtime state to access.

Read design docs

Why Dstack

dstack packages the parts teams usually wire by hand: VM launch, attestation, key release, and gateway access. GPU support and upgrade policy use the same path.

01

Compose file

Bring the compose file as-is.

dstack runs the app in a confidential VM, so teams can keep services and sidecars without rewriting around enclave SDKs.

Confidential computing for AI

Hardware-backed TEEs with cryptographic verification

Active

42

Verified

98.7%

InstanceTypeTEEStatus
prod-inference-01H100 80GBVerifiedrunning
ml-training-04H200 141GBVerifiedrunning
data-pipeline-xIntel TDX 32vCPUVerifiedrunning
ai-agent-m2AMD SEV-SNP 16vCPUHost supportrunning
gcp-api-09GCP TDX + TPMVerifiedidle

Trust Center

Inspectable proof graph.

Evidence objects connect the workload, source, image, event logs, hardware quote, KMS path, and gateway endpoint.

selected proof

Gateway attestation

status verified

report intel_quote

receipt gateway_app_id

Gateway

tls_endpoint

linked

Code

compose_hash

linked

OS Image

rtmr0..3

linked

KMS

app_key

linked

Logs

event_log

linked

02

Attestation

One identity for the workload.

The runtime checks the hardware report before it treats a VM as the same app, whether the host is bare metal, GCP, or AWS Nitro.

View Trust Center

03

Operations

Keys follow the measurement.

Per-app keys are released only after attestation passes. Governance rules keep operators from swapping code or extracting secrets out of band.

Policy lifecycle

Effective policy is enforced.

governed

GPU Marketplace

Reserve confidential GPUs and keep the proof path intact.

H100H200B200Available now

NVIDIA H100

NVIDIA CC

from $2.38/hr

memory80GBregionus-east

TEE ready

NVIDIA H200

NVIDIA CC

from $3.20/hr

memory141GBregionus-east

verified

NVIDIA B200

NVIDIA CC

from $5.60/hr

memory180GBregionus-east

Blackwell CC

04

CPU and GPU

Use the same proof path for models.

Run services on CPU TEEs, then move private inference workloads onto Hopper or Blackwell confidential GPUs without changing how the app proves itself.

05

Open source

Open code, visible audit trail.

dstack keeps the audit surface public: source, image state, KMS behavior, gateway paths, and policy state are available for review.

audit surface

dstack security review

public

review packet

Public artifacts, not a black box.

Source, design docs, image state, KMS behavior, gateway paths, and policy state stay inspectable around the running workload.

full audit report

source

Dstack-TEE/dstack

public

runtime

reproducible image state

pinned

kms

attestation-gated key release

reviewed

gateway

RA-TLS endpoint proof

bound

policy

authorization state

tracked

trust boundary

operator

runtime

user

Comparison

Hardware is only the starting point.

Cloud providers expose the Confidential Computing primitive. dstack adds the OS image, attestation flow, app keys, TLS, and upgrade policy around it.

dstack

Repo, runtime, and policy

Container native

GPU TEE

Key management

Attestation tooling

Open source

Direct AWS Nitro

Hardware primitive

Container native

GPU TEE

Key management

manual

Attestation tooling

manual

Open source

Direct Azure CVMs

Cloud platform primitive

Container native

GPU TEE

preview

Key management

manual

Attestation tooling

manual

Open source

Direct GCP Confidential VMs

Cloud platform primitive

Container native

GPU TEE

Key management

manual

Attestation tooling

manual

Open source

No vendor lock-in
Bring Compose apps
Verify before trust

Start building

Build a confidential cloud you can inspect.

Clone the OSS repo to self-host. Use Phala Cloud for one-click deployment. Keep GitHub, DeepWiki, and docs one click away.