dstack

Own your confidential cloud.

Open-source TEE infrastructure for apps, agents, and private AI without cryptography overhead.

LINUX
FOUNDATION
dstack
Phala
Google
AWS
DeepWiki GitHub
cloud.dstack.dev

Instances

Confidential workloads

Search instances...

Sessions by instance

completeactiveerror
prodstageagentgpudatatraindevedge
NameTypeRegionSessionsLast usedStatus
prod-tee-01H100 80GBUS-West-23472 minActive
staging-vm-04Intel TDX 16vCPUEU-Central-12188 minActive
ai-agent-m2AMD SEV-SNP 8vCPUUS-East-115612 minActive
inference-gpu-3H100 80GBUS-West-214215 minActive

Runtime-Pfad

Architektur-Garantien

dstack macht aus TEE-Hardware einen verifizierbaren Runtime-Pfad, bevor Peers, Keys oder Traffic vertraut werden.

01

Code-Integrität

02

Datenvertraulichkeit

03

Workload Identity

Bare Metal HostExternal UsersbrowserAPI clientagentGateway CVMdstack-gatewayGateway Serviceport 9202dstack-vmmHost Serviceport 9080create / manageApplication CVMGuest AgentDstackGuestRpcUnix Socket/var/run/dstack.sockDocker ContainerYour applicationKMS CVMdstack-kmsKMS Serviceport 9201Ethereum BlockchainDstackKmsDstackAppContractsHTTPSWireGuard VPNCreate / ManageBoot AuthorizationKey RequestRA-TLSAuthorization QuerySource: External Users → Gateway → VMM → App CVM / KMS CVM → Blockchain, from dstack_overview.mmd.

01

External users

HTTPS traffic enters through the gateway boundary.

02

Gateway CVM

dstack-gateway terminates public access and routes over WireGuard.

03

VMM

dstack-vmm creates and manages application CVMs on the host.

04

Application CVM

Guest Agent exposes the dstack socket to Docker workloads.

05

KMS CVM

dstack-kms verifies attestation before releasing secrets.

06

Blockchain policy

DstackKms and DstackApp contracts define authorization state.

07

Vertrauenspfad

RA-TLS and key requests bind runtime state to access.

Design-Dokumente lesen

Warum Dstack

dstack ist der vollständige Developer-Stack rund um TEE-Hardware: Docker-native Starts, reproduzierbarer Runtime-State, attestierte Keys, Gateway-Zugriff, GPU-Support und Governance.

01

Reibungsloses Onboarding

Bringe Docker Compose unverändert mit.

dstack nutzt Full-VM-Isolation, sodass Teams eine bestehende docker-compose.yaml bereitstellen können, ohne Code in enclave-spezifische SDKs zu portieren. Netzwerkverkehr und Festplattenzustand werden standardmäßig verschlüsselt.

compose
Nachweis
policy

Confidential computing for AI

Hardware-backed TEEs with cryptographic verification

Active

42

Verified

98.7%

InstanceTypeTEEStatus
prod-inference-01H100 80GBVerifiedrunning
ml-training-04H200 141GBVerifiedrunning
data-pipeline-xIntel TDX 32vCPUVerifiedrunning
ai-agent-m2AMD SEV-SNP 16vCPUVerifiedrunning
staging-vm-09Intel TDX 8vCPUVerifiedidle

Trust Center

Inspectable proof graph.

Evidence objects connect the workload, source, image, event logs, hardware quote, KMS path, and gateway endpoint.

selected proof

Gateway attestation

status verified

report intel_quote

receipt gateway_app_id

Gateway

tls_endpoint

linked

Code

compose_hash

linked

OS Image

rtmr0..3

linked

KMS

app_key

linked

Logs

event_log

linked

02

Hardware-verankerte Sicherheit

Privat durch Hardware, von jedem verifizierbar.

Intel TDX schützt den Anwendungsspeicher vor Host-Betreibern. Reproduzierbare OS-Images, Workload-Identität, RTMR-Ereignisprotokolle und Attestierungsberichte machen den Laufzeitzustand überprüfbar.

Trust Center anzeigen
compose
Nachweis
policy

03

Vertrauenslose Operationen

Schlüssel und Upgrades folgen der Policy.

Pro-App-Schlüssel werden innerhalb von TEEs abgeleitet und erst nach bestandener Attestierung freigegeben. Code-Governance-Regeln verhindern, dass Operatoren Workloads austauschen oder Geheimnisse extrahieren.

compose
Nachweis
policy

Policy lifecycle

Effective policy is enforced.

governed

GPU Marketplace

Reserve confidential GPU capacity and keep the proof path intact.

H100H200B300Available now

NVIDIA H100

NVIDIA CC

from $2.38/hr

memory80GBregionus-east

TEE ready

NVIDIA H200

NVIDIA CC

from $3.20/hr

memory141GBregionus-east

verified

NVIDIA B300

NVIDIA CC

from $5.60/hr

memory288GBregionus-east

private AI

04

CPU- und GPU-TEEs

Ein Runtime-Pfad für Services und Modelle.

Betreiben Sie CPU-Services und NVIDIA Confidential Computing GPUs unter demselben Vertrauensmodell, einschließlich H100- und Blackwell-Klasse privater KI-Workloads.

compose
Nachweis
policy

05

Open-Source-Stack

Offener Code, sichtbarer Audit-Trail.

dstack ist ein Open-Source-Projekt der Linux Foundation mit einer Audit-Oberfläche, die Entwickler prüfen können: Code, reproduzierbare Images, KMS-Verhalten, Gateway-Pfade und Richtlinienstatus.

compose
Nachweis
policy

audit report

dstack security review

PDF

Comparison

Hardware primitive vs full stack.

Cloud providers give you the TEE hardware primitive. dstack adds the reproducible OS, automatic attestation, per-app key derivation, TLS certificates, and smart contract governance.

Approach
Docker native
GPU TEE
Key management
Attestation tooling
Open source

dstack

Full open-source stack

AWS Nitro Enclaves

Hardware primitive

manual
manual

Azure Confidential VMs

Cloud platform primitive

preview
manual
manual

GCP Confidential Computing

Cloud platform primitive

manual
manual
No vendor lock-in
Bring Docker apps
Verify before trust

Start building

Build a confidential cloud you can inspect.

Use the repo when you want ownership. Use Phala Cloud when you want managed capacity. Keep GitHub, DeepWiki, and docs one click away.

GitHub DeepWikiDocsTry Phala Cloud

self-hosted

dstack-cloud

Run dstack control plane for your own hosts, AWS, GCP, or BYOH path.

AWS path

Nitro support

Use the Nitro Enclave support repo when AWS is the deployment boundary.

Phala

Private Ausführung. Verifizierbare Ergebnisse.

Newsletter

© 2026 Hashforest Technology. Alle Rechte vorbehalten. DatenschutzNutzungsbedingungen