dstack

Own your confidential cloud.

Open-source TEE infrastructure for apps, agents, and private AI without cryptography overhead.

LINUX
FOUNDATION

DeepWiki GitHub

cloud.dstack.dev

Instances

Confidential workloads

Search instances...

Sessions by instance

completeactiveerror

NameTypeRegionSessionsLast usedStatus

prod-tee-01H100 80GBUS-West-23472 minActive

staging-vm-04Intel TDX 16vCPUEU-Central-12188 minActive

ai-agent-m2AMD SEV-SNP 8vCPUUS-East-115612 minActive

inference-gpu-3H100 80GBUS-West-214215 minActive

运行时路径

架构保障

dstack 在任何对等方、密钥或流量被信任之前，就把 TEE 硬件变成了可验证的运行路径。

代码完整性

数据保密性

工作负载身份

External users

HTTPS traffic enters through the gateway boundary.

Gateway CVM

dstack-gateway terminates public access and routes over WireGuard.

VMM

dstack-vmm creates and manages application CVMs on the host.

应用 CVM

Guest Agent exposes the dstack socket to Docker workloads.

KMS CVM

dstack-kms verifies attestation before releasing secrets.

Blockchain policy

DstackKms and DstackApp contracts define authorization state.

信任路径

RA-TLS and key requests bind runtime state to access.

阅读设计文档

为什么选择 Dstack

dstack 是围绕 TEE 硬件的完整开发者栈：Docker 原生启动、可复现运行时状态、经过证明的密钥、网关访问、GPU 支持和治理。

几乎零摩擦入门

原样引入 Docker Compose。

dstack 使用完整虚拟机隔离，因此团队可以直接部署现有的 docker-compose.yaml，而无需将代码移植到 enclave 专用 SDK 中。网络流量和磁盘状态默认加密。

compose

证明

policy

Confidential computing for AI

Hardware-backed TEEs with cryptographic verification

Active

Verified

98.7%

InstanceTypeTEEStatus

prod-inference-01H100 80GBVerifiedrunning

ml-training-04H200 141GBVerifiedrunning

data-pipeline-xIntel TDX 32vCPUVerifiedrunning

ai-agent-m2AMD SEV-SNP 16vCPUVerifiedrunning

staging-vm-09Intel TDX 8vCPUVerifiedidle

Trust Center

Inspectable proof graph.

Evidence objects connect the workload, source, image, event logs, hardware quote, KMS path, and gateway endpoint.

selected proof

Gateway attestation

status verified

report intel_quote

receipt gateway_app_id

Gateway

tls_endpoint

linked

Code

compose_hash

linked

OS Image

rtmr0..3

linked

KMS

app_key

linked

Logs

event_log

linked

硬件根安全

由硬件保护，任何人都可验证。

Intel TDX 可保护应用内存不受主机运营方访问。可复现的 OS 镜像、工作负载身份、RTMR 事件日志和证明报告使运行时状态可被审计。

查看信任中心

compose

证明

policy

无需信任的运维

密钥和升级遵循策略。

每应用密钥在 TEE 内生成，并且仅在证明通过后释放。代码治理规则可防止操作者替换工作负载或提取密钥。

compose

证明

policy

Policy lifecycle

Effective policy is enforced.

governed

GPU Marketplace

Reserve confidential GPU capacity and keep the proof path intact.

H100H200B300Available now

NVIDIA H100

NVIDIA CC

from $2.38/hr

memory80GBregionus-east

TEE ready

NVIDIA H200

NVIDIA CC

from $3.20/hr

memory141GBregionus-east

verified

NVIDIA B300

NVIDIA CC

from $5.60/hr

memory288GBregionus-east

private AI

CPU 和 GPU TEE

服务和模型共用一条运行路径。

在同一信任模型下运行 CPU 服务和 NVIDIA Confidential Computing GPU，包括 H100 和 Blackwell 级隐私 AI 工作负载。

compose

证明

policy

开源技术栈

开源代码，可见审计轨迹。

dstack 是 Linux Foundation 的开源项目，开发者可审计的范围包括：代码、可复现镜像、KMS 行为、网关路径和策略状态。

compose

证明

policy

audit report

dstack security review

PDF

Comparison

Hardware primitive vs full stack.

Cloud providers give you the TEE hardware primitive. dstack adds the reproducible OS, automatic attestation, per-app key derivation, TLS certificates, and smart contract governance.

Approach

Docker native

GPU TEE

Key management

Attestation tooling

Open source

dstack

Full open-source stack

AWS Nitro Enclaves

Hardware primitive

manual

Azure Confidential VMs

Cloud platform primitive

preview

manual

GCP Confidential Computing

Cloud platform primitive

manual

No vendor lock-in

Bring Docker apps

Verify before trust

Start building

Build a confidential cloud you can inspect.

Use the repo when you want ownership. Use Phala Cloud when you want managed capacity. Keep GitHub, DeepWiki, and docs one click away.

GitHub DeepWiki Docs Try Phala Cloud

self-hosted

dstack-cloud

Run dstack control plane for your own hosts, AWS, GCP, or BYOH path.

AWS path

Nitro support

Use the Nitro Enclave support repo when AWS is the deployment boundary.