Deploy confidential workloads on GCP and AWS.

Documentation · Examples · Community

---

What is dstack-cloud?

dstack-cloud extends dstack to deploy containers on GCP Confidential VMs and AWS Nitro Enclaves. It provisions the VM, manages attestation, and handles networking. You get confidential computing on cloud infrastructure without running your own TDX hardware.

Your containers run with full security infrastructure out of the box: key management, remote attestation, hardened OS, and encrypted storage. Users can cryptographically verify exactly what's running.

Supported Platforms

Platform	Status	Attestation
Phala Cloud	Available	TDX
GCP Confidential VMs	Available	TDX + TPM
AWS Nitro Enclaves	Available	NSM
Bare metal TDX	Available	TDX

Quick Start

1. Create a project:

dstack-cloud new my-app
cd my-app

2. Edit your docker-compose.yaml:

services:
  vllm:
    image: vllm/vllm-openai:latest
    runtime: nvidia
    command: --model Qwen/Qwen2.5-7B-Instruct
    ports:
      - "8000:8000"

3. Deploy:

dstack-cloud deploy

4. Check status:

dstack-cloud status
dstack-cloud logs --follow

For the full walkthrough, see the Quickstart Guide.

Features

Zero friction onboarding

• Docker Compose native: Bring your docker-compose.yaml as-is. No SDK, no code changes.
• Encrypted by default: Network traffic and disk storage encrypted out of the box.

Hardware-rooted security

• Private by hardware: Data encrypted in memory, inaccessible even to the host.
• Reproducible OS: Deterministic builds mean anyone can verify the OS image hash.
• Workload identity: Every app gets an attested identity users can verify cryptographically.
• Confidential GPUs: Native support for NVIDIA Confidential Computing (H100, Blackwell).

Trustless operations

• Isolated keys: Per-app keys derived in TEE. Survives hardware failure. Never exposed to operators.
• Code governance: Updates follow predefined rules (e.g., multi-party approval). Operators can't swap code or access secrets.

Architecture

Your container runs inside a Confidential VM (Intel TDX on GCP, Nitro Enclave on AWS). GPU isolation is optional via NVIDIA Confidential Computing. The CPU TEE protects application logic. The GPU TEE protects model weights and inference data.

Core components:

• Guest Agent: Runs inside each CVM. Generates attestation quotes so users can verify exactly what's running. Provisions per-app cryptographic keys from KMS. Encrypts local storage. Apps interact via /var/run/dstack.sock.

• KMS: Runs in its own TEE. Verifies attestation quotes before releasing keys. Enforces authorization policies that operators cannot bypass. Derives deterministic keys bound to each app's attested identity.

• Gateway: Terminates TLS at the edge. Provisions ACME certificates automatically. Routes traffic to CVMs. Internal communication uses RA-TLS for mutual attestation.

• VMM: Parses docker-compose files directly — no app changes needed. Boots CVMs from a reproducible OS image. Allocates CPU, memory, and confidential GPU resources.

Full security model →

CLI Reference

dstack-cloud new <name>              # Create a new project
dstack-cloud config-edit             # Edit global configuration
dstack-cloud deploy                  # Deploy to cloud
dstack-cloud status                  # Check deployment status
dstack-cloud logs [--follow]         # View console logs
dstack-cloud stop                    # Stop the VM
dstack-cloud start                   # Start a stopped VM
dstack-cloud remove                  # Remove the VM and cleanup
dstack-cloud list                    # List all deployments
dstack-cloud fw allow <port>         # Allow traffic on a port
dstack-cloud fw deny <port>          # Block traffic on a port
dstack-cloud fw list                 # List firewall rules

SDKs

Apps communicate with the guest agent via HTTP over /var/run/dstack.sock. Use the HTTP API directly with curl, or use a language SDK:

Language	Install	Docs
Python	pip install dstack-sdk	README
TypeScript	npm install @phala/dstack-sdk	README
Rust	cargo add dstack-sdk	README
Go	go get github.com/Dstack-TEE/dstack/sdk/go	README

Documentation

Getting Started

• Quickstart - Deploy your first app on GCP or AWS
• Usage Guide - Deploying and managing apps
• Verification - How to verify TEE attestation

Cloud Platforms

• GCP Attestation - TDX + TPM attestation on GCP
• AWS Nitro Attestation - NSM attestation on AWS

For Developers

• Confidential AI - Inference, agents, and training with hardware privacy
• App Compose Format - Compose file specification

Self-Hosted / Bare Metal

• Deployment - Self-hosting on TDX hardware
• VMM CLI Guide - VMM command-line reference
• Gateway - Gateway configuration
• On-Chain Governance - Policy-based authorization

Reference

• Design Decisions - Architecture rationale
• FAQ - Frequently asked questions

Security

• Security Overview - Security documentation and responsible disclosure
• Security Model - Threat model and trust boundaries
• Security Best Practices - Production hardening
• Security Audit - Third-party audit by zkSecurity
• CVM Boundaries - Information exchange and isolation

FAQ

Why not use AWS Nitro / Azure Confidential VMs / GCP directly?

You can — but you'll build everything yourself: attestation verification, key management, Docker orchestration, certificate provisioning, and governance. dstack-cloud provides all of this out of the box.

Approach	Docker native	GPU TEE	Key management	Attestation tooling	Open source
dstack-cloud	✓	✓	✓	✓	✓
AWS Nitro Enclaves	-	-	Manual	Manual	-
Azure Confidential VMs	-	Preview	Manual	Manual	-
GCP Confidential Computing	-	-	Manual	Manual	-

Cloud providers give you the hardware primitive. dstack-cloud gives you the full stack: reproducible OS images, automatic attestation, per-app key derivation, and TLS certificates. No vendor lock-in.

How is this different from SGX/Gramine?

SGX requires porting applications to enclaves. dstack-cloud uses full-VM isolation (Intel TDX, AWS Nitro) — bring your Docker containers as-is. Plus GPU TEE support that SGX doesn't offer.

What's the performance overhead?

Minimal. Intel TDX adds ~2-5% overhead for CPU workloads. NVIDIA Confidential Computing has negligible impact on GPU inference. Memory encryption is the main cost, but it's hardware-accelerated on supported CPUs.

Is this production-ready?

Yes. dstack powers production AI at OpenRouter and NEAR AI. It's been audited by zkSecurity. It's a Linux Foundation Confidential Computing Consortium project.

Can I run this on my own hardware?

Yes. dstack-cloud runs on any Intel TDX-capable server. See the deployment guide for self-hosting instructions. You can also use Phala Cloud for managed infrastructure.

What TEE hardware is supported?

• GCP: Intel TDX (Confidential VMs)
• AWS: Nitro Enclaves (NSM attestation)
• Bare metal: Intel TDX (4th/5th Gen Xeon)
• GPUs: NVIDIA Confidential Computing (H100, Blackwell)

AMD SEV-SNP support is planned.

How do users verify my deployment?

Your app exposes attestation quotes via the SDK. Users verify these quotes using dstack-verifier, dcap-qvl, or the Trust Center. See the verification guide for details.

Trusted by

• OpenRouter - Confidential AI inference providers powered by dstack
• NEAR AI - Private AI infrastructure powered by dstack

dstack is a Linux Foundation Confidential Computing Consortium open source project.

Community

Telegram · GitHub Discussions · Examples

For enterprise support and licensing, book a call or email us at [email protected].

Cite

If you use dstack in your research, please cite:

@article{zhou2025dstack,
  title={Dstack: A Zero Trust Framework for Confidential Containers},
  author={Zhou, Shunfan and Wang, Kevin and Yin, Hang},
  journal={arXiv preprint arXiv:2509.11555},
  year={2025}
}

Media Kit

Logo and branding assets: dstack-logo-kit

License

This repository is licensed under the Business Source License 1.1 (BUSL-1.1). Per the terms in LICENSE, the Licensed Work is dstack-cloud.

BUSL-1.1 permits copying, modification, redistribution, and non-production use. Production use requires a commercial license. Book a call or email [email protected].