dstack

Own your confidential cloud.

Open-source TEE infrastructure for apps, agents, and private AI without cryptography overhead.

LINUX
FOUNDATION
dstack
Phala
Google
AWS
DeepWiki GitHub
cloud.dstack.dev

Instances

Confidential workloads

Search instances...

Sessions by instance

completeactiveerror
prodstageagentgpudatatraindevedge
NameTypeRegionSessionsLast usedStatus
prod-tee-01H100 80GBUS-West-23472 minActive
staging-vm-04Intel TDX 16vCPUEU-Central-12188 minActive
ai-agent-m2AMD SEV-SNP 8vCPUUS-East-115612 minActive
inference-gpu-3H100 80GBUS-West-214215 minActive

Runtime-pad

Architectuurgaranties

dstack verandert TEE-hardware in een verifieerbaar runtime-pad voordat peers, keys of traffic worden vertrouwd.

01

Code-integriteit

02

Gegevensvertrouwelijkheid

03

Workload Identity

Bare Metal HostExternal UsersbrowserAPI clientagentGateway CVMdstack-gatewayGateway Serviceport 9202dstack-vmmHost Serviceport 9080create / manageApplication CVMGuest AgentDstackGuestRpcUnix Socket/var/run/dstack.sockDocker ContainerYour applicationKMS CVMdstack-kmsKMS Serviceport 9201Ethereum BlockchainDstackKmsDstackAppContractsHTTPSWireGuard VPNCreate / ManageBoot AuthorizationKey RequestRA-TLSAuthorization QuerySource: External Users → Gateway → VMM → App CVM / KMS CVM → Blockchain, from dstack_overview.mmd.

01

External users

HTTPS traffic enters through the gateway boundary.

02

Gateway CVM

dstack-gateway terminates public access and routes over WireGuard.

03

VMM

dstack-vmm creates and manages application CVMs on the host.

04

Application CVM

Guest Agent exposes the dstack socket to Docker workloads.

05

KMS CVM

dstack-kms verifies attestation before releasing secrets.

06

Blockchain policy

DstackKms and DstackApp contracts define authorization state.

07

Trust path

RA-TLS and key requests bind runtime state to access.

Lees design docs

Waarom Dstack

dstack is de volledige developer stack rond TEE-hardware: Docker-native launch, reproduceerbare runtime-state, geattesteerde keys, gateway-toegang, GPU-support en governance.

01

Onboarding zonder frictie

Docker Compose ongewijzigd meebrengen.

dstack gebruikt volledige VM-isolatie, zodat teams een bestaande docker-compose.yaml kunnen uitrollen zonder code te porteren naar enclave-specifieke SDK's. Netwerkverkeer en schijfstatus zijn standaard versleuteld.

compose
bewijs
policy

Confidential computing for AI

Hardware-backed TEEs with cryptographic verification

Active

42

Verified

98.7%

InstanceTypeTEEStatus
prod-inference-01H100 80GBVerifiedrunning
ml-training-04H200 141GBVerifiedrunning
data-pipeline-xIntel TDX 32vCPUVerifiedrunning
ai-agent-m2AMD SEV-SNP 16vCPUVerifiedrunning
staging-vm-09Intel TDX 8vCPUVerifiedidle

Trust Center

Inspectable proof graph.

Evidence objects connect the workload, source, image, event logs, hardware quote, KMS path, and gateway endpoint.

selected proof

Gateway attestation

status verified

report intel_quote

receipt gateway_app_id

Gateway

tls_endpoint

linked

Code

compose_hash

linked

OS Image

rtmr0..3

linked

KMS

app_key

linked

Logs

event_log

linked

02

Hardware-rooted security

Privé door hardware, verifieerbaar door iedereen.

Intel TDX beschermt app-geheugen tegen hostoperators. Reproduceerbare OS-images, workload-identiteit, RTMR-eventlogs en attestation-rapporten maken de runtime-status inspecteerbaar.

Trust Center bekijken
compose
bewijs
policy

03

Vertrouwensloze operaties

Sleutels en upgrades volgen het beleid.

Per-app keys worden binnen TEE’s afgeleid en pas vrijgegeven nadat attestatie is geslaagd. Code-governanceregels voorkomen dat operators workloads verwisselen of geheimen extraheren.

compose
bewijs
policy

Policy lifecycle

Effective policy is enforced.

governed

GPU Marketplace

Reserve confidential GPU capacity and keep the proof path intact.

H100H200B300Available now

NVIDIA H100

NVIDIA CC

from $2.38/hr

memory80GBregionus-east

TEE ready

NVIDIA H200

NVIDIA CC

from $3.20/hr

memory141GBregionus-east

verified

NVIDIA B300

NVIDIA CC

from $5.60/hr

memory288GBregionus-east

private AI

04

CPU- en GPU-TEE's

Eén runtime-pad voor services en modellen.

Draai CPU-services en NVIDIA Confidential Computing GPU's onder hetzelfde trustmodel, inclusief H100- en Blackwell-class private AI-workloads.

compose
bewijs
policy

05

Open source-stack

Open code, zichtbaar auditspoor.

dstack is een open-source Linux Foundation-project met een audit surface die ontwikkelaars kunnen inspecteren: code, reproduceerbare images, KMS-gedrag, gatewaypaden en beleidsstatus.

compose
bewijs
policy

audit report

dstack security review

PDF

Comparison

Hardware primitive vs full stack.

Cloud providers give you the TEE hardware primitive. dstack adds the reproducible OS, automatic attestation, per-app key derivation, TLS certificates, and smart contract governance.

Approach
Docker native
GPU TEE
Key management
Attestation tooling
Open source

dstack

Full open-source stack

AWS Nitro Enclaves

Hardware primitive

manual
manual

Azure Confidential VMs

Cloud platform primitive

preview
manual
manual

GCP Confidential Computing

Cloud platform primitive

manual
manual
No vendor lock-in
Bring Docker apps
Verify before trust

Start building

Build a confidential cloud you can inspect.

Use the repo when you want ownership. Use Phala Cloud when you want managed capacity. Keep GitHub, DeepWiki, and docs one click away.

GitHub DeepWikiDocsTry Phala Cloud

self-hosted

dstack-cloud

Run dstack control plane for your own hosts, AWS, GCP, or BYOH path.

AWS path

Nitro support

Use the Nitro Enclave support repo when AWS is the deployment boundary.

Phala

Private uitvoering. Verifieerbare resultaten.

Nieuwsbrief

© 2026 Hashforest Technology. Alle rechten voorbehouden. PrivacyVoorwaarden