Private KI-Agenten

KI-Agents brauchen Privatsphäre am dringendsten.

Agents halten Ihre Schlüssel, Tokens, Inbox und Wallet — und handeln in Ihrem Namen. Betreiben Sie sie in einer attestierten CVM, in der der compose-hash den Geltungsbereich definiert und jede Aktion signiert ist.

Agentendokumentation lesen Mit Experten sprechen

Confidential agents, in production.

Personal, coding, security, financial, social, memory, MCP — pick a category, then drill into a specific framework to see how Phala slots into the runtime.

9:41▮▮ 5G ▰

‹

OpenClaw

bot

⌕

＋

Write a message...

◉

Visit Clawdi

Personal computer-use agent. Sessions, calendars, and inbox sealed in a CVM whose compose-hash IS the permission scope.

Agents · live on Phala Cloud.

Verified counts from Phala Cloud + ClickHouse. Compose-hashes are observed in the Cloud DB; trust-by-construction primitives sit in an attested CVM.

Agent CVMs deployed

12,783

cumulative · all frameworks

Compute hours

16.9M

fleet-wide · since Feb 2025

TDX quotes verified

1.10M

KMS attestation

Compose-hashes observed

2,591

distinct agent builds

Total CVMs deployed by framework

cumulative · since first deploy

1,585

1,545

604

279

168

Eliza

character agents

7 live · since 2024-12

Clawdi

OpenClaw

193 live · since 2026-01

BlueNexus

MCP servers

5 live · since 2025-10

Vijil

verifiable CI

since 2025-04

Agent Wallet

x402 · ERC-8004

1 live · since 2025-05

Hermes

Nous Research

7 live · since 2025-01

TDX nodes

GPU TEE teepods

8 · 64 GPUs

Regions

KMS instances

Failed quotes / 24h

1 / 35

Nutzen Sie jedes Agent-Framework. Konstruktiv versiegelt.

Coding-Agents

Claude Code, Codex, and verifiable CI agents like Vijil run in a CVM where the repo, secrets, and tool tokens stay sealed against the registered compose-hash. Every diff signed before merge.

CODING

marvin@Mac ~/ai-agent % claude code

Claude Code

sealed CVM

· [marvin@Mac] % claude

✓ scope: github.write

› refactor agents/...

⏺ sealed-token: github.pat ✓

✓ Sign-RPC 0x9c1a…

COMPUTER-USE

OpenClawbot

Triage today's inbox — Stanford threads.

tool · gmail.search

3 threads · 11 messages

sealed-token gmail.compose ✓

Computer-Use-Agenten

OpenClaw, Hermes, and Pi take over the browser, GUI, and OS — bounded by an attested compose-hash and KMS-gated credentials. Sessions, calendars, inbox stay sealed in the CVM.

Tool- & Memory-Agents

MCP servers (BlueNexus) attest to clients before they accept a connection — mutual RA-TLS. Long-term memory backends (Xtrace) seal shards per app-id; revoking the build evicts memory cleanly.

MCP · MEMORY

BlueNexus MCP

$ mcp connect mcp.bluenexus.ai▸ verifying TDX quote✓ mutual RA-TLS bound• search.web (sealed)• vault.unlock (multi-sig)

WALLET · SECURITY

Agent Walletx402

payment request

$24.00 USDC

api.confidential-llm.ai

scope≤ $50/daymulti-sig2/2 ✓

Wallet- und On-Chain-Agents

Agent Wallet (ERC-8004 + Coinbase x402) and Ironclaw (NEAR security) bind spending scope to the compose-hash. Multi-sig DstackApp gates every signing key; revoke compose-hash → kill access.

permission as identity · scope as compose-hash

Permission is identity. Identity is the compose-hash.

On dstack, an agent’s tool list and credential scope can’t drift from what its build authorizes — there’s no runtime path that widens privilege.

Attested launch

dstack-vmm boots the agent CVM. The TDX quote covers the full compose-hash — including system prompt, model digest, and tool list (all in the docker-compose).

Sealed credentials

User previously sealed OAuth tokens against this exact compose-hash. dstack-kms releases the wrap key only after the quote matches. No host process ever sees plaintext.

Mutual RA-TLS

When Agent A delegates to Agent B, each cert embeds a fresh TDX quote. Both sides run dcap-qvl on the peer and check DstackApp.sol for the allowed-delegates whitelist.

Bounded outbound

External tool (Gmail, Stripe, etc.) is outside the trust boundary. The OAuth token leaves only inside the outbound TLS handshake, scope upper-bounded by compose-hash.

Signed action log

Every tool call is appended inside the CVM and signed via Sign RPC. Tamper breaks the chain. Auditors verify without trusting Phala or the operator.

So funktioniert es

Gehen Sie Schritt für Schritt durch eine Multi-Agenten-Pipeline.

Schalten Sie dstack aus, um zu sehen, wie Zugangsdaten und Tool-Umfang auseinanderdriften.

Vertrauliche KI-Agenten auf dstack

Agenten-Computer in einer CVM · Sandboxes pro Unteragent · versiegelter Tresor · begrenzter Outbound-Kanal

aktiver Edgeinaktivneu in Schritt

Schritt 1 of 5 · scroll-aware

Schritt 1 / 5

Attested Boot — TDX Quote verifiziert den gesamten Computer

dstack-vmm bootet die Agentenlaufzeit als eine TDX-CVM. dstack-guest-agent gibt ein kombiniertes TDX-Zitat aus, das MRTD + RTMR0–3 + GPU Confidential mode abdeckt. Der Nutzer ruft das Zitat per RA-TLS ab und führt dcap-qvl lokal aus — die Vertrauensentscheidung erfolgt clientseitig und ist im Hardware-Root von Intel's TDX sowie in DstackKms.sol on-chain verankert. Phala Network wird nicht gebeten, sich selbst zu beglaubigen.

With dstack: Die Vertrauensbasis ist Intels TDX-Hardware-Signatur, on-chain verankert — jeder Client kann verifizieren, ohne Phala oder dem Cloud-Operator zu vertrauen.

live · Sign-RPC action log

Every tool call leaves a tamper-evident receipt.

Each row is a real-shaped Sign-RPC entry: agent identity, tool, args hash, and a per-app key signature that chains to the TDX root. Auditors verify the log offline — Phala isn't in the trust chain.

action.log · streaming

tamper detected · 0

tsagenttoolargssignatureverify

14:00:01support-bot-v3.2crm.readlookup(account=acme)0x9c1a…f7e2✓

14:00:03inbox-triagegmail.readlist(after=09:00)0x4f2c…a91e✓

14:00:04support-bot-v3.2stripe.readcharge(id=ch_3O…)0xc3d4…f7e2✓

14:00:08cal-botcalendar.readfree(2026-05-05, 30m)0xa1b2…d4f6✓

14:00:11pnl-monitorwallet.readbalance(addr=0xab…)0xe5f6…b8c0✓

14:00:14inbox-triagegmail.composedraft(thread=18b4…)0x7d8e…2f1a✓

14:00:18research-botweb.search"phala dstack v0.6"0x6e9f…c3d4✓

14:00:21devops-botgithub.writepr.merge(123)0xb1a2…f0e7✓

14:00:24support-bot-v3.2zendesk.writeticket.reply(8421)0x3d4e…7a8b✓

14:00:27cal-botcalendar.writecreate(slot=15:00)0x8c9d…e1f2✓

14:00:31pnl-monitorwebhook.sendalert(threshold=2.5%)0xf2e3…d4c5✓

14:00:35devops-botsentry.readerrors(env=prod)0x5b6c…7d8e✓

14:00:39inbox-triagegmail.readlist(label=INBOX)0xa9b8…c7d6✓

14:00:43research-botdoc.writeappend(notes.md)0x4e5f…6a7b✓

14:00:47awaiting next call————

chain · per-app key → KMS root → TDX root + DstackApp.sol14 rows · all verified offline

KI-Lösungswege

Verwenden Sie private Modelle, wenn KI mit Geheimnissen interagiert.

Der private Modell-Endpunkt ist der erste Einstiegspunkt. Dieselbe Datenschutz-Primitive lässt sich auf Agents, Daten-Workflows und Training ausweiten.

LLM API

Private AI-Inferenz

OpenAI-kompatible Modellaufrufe bereitstellen, bei denen Prompts, Outputs und Kundenkontext Schutz durch Verschlüsselung während der Nutzung benötigen.

Lösung öffnen

encrypted

DeepSeek V3.1

128K

$0.27/M input

encrypted

Qwen3 Coder

256K

$0.40/M input

encrypted

Llama 3.3 70B

128K

$0.15/M input

encrypted

GPT OSS 120B

128K

$0.10/M input

encrypted

Claude Sonnet 4.5

200K

$3.00/M input

encrypted

Gemini 2.5 Pro

$1.25/M input

Training

Private Modelltrainings

Passe Modelle an proprietäre Daten an, während Datensätze, Gradients, Checkpoints und Evaluations-Traces innerhalb der Grenze bleiben.

Lösung öffnen

private training run

Observe without exposing weights.

H100 CC

dataset

sealed

fine-tune

running

eval

private

checkpoint

verified

loss curve

proof attached

attestation.json

Data

Private KI-Daten

Modelle zu sensiblen Datensätzen verschieben und freigegebene Ausgaben zurückgeben, ohne Rohdaten dem Modellbetreiber offenzulegen.

Lösung öffnen

source

EHR data

source

Customer records

source

Internal docs

TEE clean room

query without raw access

approved output

aggregate only

no row exportproof linked

Deploy a confidential agent

Berechtigung als Identität. Umfang als Compose-Hash.

Stelle den Agenten als docker-compose bereit. Registriere den Compose-Hash. Versiegle die OAuth-Token. Jeder agentenübergreifende Aufruf verifiziert den Peer über RA-TLS erneut.

View docs Mit dem Vertrieb sprechen

01Mutual RA-TLS between agent CVMs
02Sealed OAuth tokens, KMS-gated
03Compose-hash IS the scope
04Outbound tools bounded by attested code
05Sign-RPC action log

Private Ausführung. Verifizierbare Ergebnisse.

Newsletter