dstack is an open-source framework for confidential computing that enables running Docker containers inside Intel TDX Trusted Execution Environments (TEEs) with cryptographic privacy guarantees. It provides hardware-rooted security for AI applications and sensitive workloads without requiring code changes—just bring your docker-compose.yaml.
dstack solves a fundamental problem in cloud computing: how to run applications on untrusted infrastructure while maintaining data confidentiality. Traditional deployments require trusting the cloud provider, operators, and host system. dstack uses Intel TDX hardware to create Confidential Virtual Machines (CVMs) where application code and data remain encrypted in memory, inaccessible even to privileged host software or physical attackers with hardware access.
| Feature | Implementation | Code Location |
|---|---|---|
| Docker Compose Native | VMM parses docker-compose.yaml directly | vmm/src/compose.rs |
| Hardware-Rooted Trust | Intel TDX CVMs, optional NVIDIA H100/Blackwell GPU TEE | tdx-attest/ |
| Attestation-Based Keys | KMS derives keys only after TDX quote verification | kms/src/main_service.rs |
| Encrypted Storage | LUKS2 disk encryption, keys never leave TEE | dstack-util/src/storage.rs |
| Zero Trust Networking | WireGuard mesh + RA-TLS mutual attestation | gateway/src/proxy.rs ra-tls/ |
| On-Chain Governance | Ethereum smart contracts enforce authorization | kms/auth-eth/contracts/ |
What makes dstack different:
Sources:
dstack consists of four main components that work together to provide confidential computing infrastructure. Each runs as a separate Rust binary, with security-critical services isolated in their own TEEs.
Sources:
| Component | Binary | Trust Boundary | Key Functions |
|---|---|---|---|
| VMM | dstack-vmm | Untrusted host | VmmRpc::CreateVm, VmmRpc::StartVm, parses compose files in vmm/src/compose.rs |
| KMS | kms | TEE (CVM) | KmsRpc::GetAppKey, KmsRpc::SignCert, verifies quotes in kms/src/attestation.rs |
| Gateway | gateway | TEE (CVM) | GatewayRpc::RegisterCvm, TLS termination, WireGuard mesh in gateway/src/proxy.rs |
| Guest Agent | guest-agent | TEE (CVM) | DstackGuestRpc::GetKey, DstackGuestRpc::GetQuote, exposes SDK API via Unix socket |
| Supervisor | supervisor | Untrusted host | Spawns QEMU processes, monitors lifecycle in supervisor/src/main.rs |
| dstack-util | dstack-util | TEE (CVM) | Boot setup: cmd_sys_setup, LUKS2 encryption, WireGuard config in dstack-util/src/ |
Key architectural properties:
Sources:
This sequence shows how dstack establishes trust and provisions keys when deploying an application, mapping each step to actual code functions.
Deployment Flow Diagram
Key security properties enforced:
Sources:
App::create_vm, App::startcmd_sys_setupDstackGuestRpc::get_quoteKmsRpc::GetAppKeyGatewayRpc::RegisterCvmdstack's security derives from Intel TDX hardware, which provides memory encryption and cryptographic attestation. The trust model has three layers:
Trust Layers Diagram
What the host CANNOT do:
What users CAN verify:
Attestation stack:
| Layer | Crate | Function | Purpose |
|---|---|---|---|
| Hardware | tdx-attest | generate_quote() | TDX DCAP quote generation |
| Validation | dstack-attest | verify_quote() | Quote signature verification, TCB status |
| Certificate | ra-tls | ratls_cert() | Embed quote in X.509 certificate extension |
| Transport | ra-rpc | RaClient | RA-TLS for RPC communication |
Sources:
All cryptographic keys in dstack are derived deterministically from root secrets stored in the KMS TEE. This enables disaster recovery, multi-KMS deployments, and ensures keys are reproducible.
Key Derivation Hierarchy
Key derivation properties:
Implementation:
KmsState structderive_key(), derive_p256_key_pair()AppKeys structsetup_luks2()Sources:
Applications interact with the guest agent via HTTP over a Unix socket. SDKs provide language-idiomatic wrappers for the HTTP API.
SDK Architecture
SDK Methods Mapping:
| SDK Method | RPC Service | Backend Function | Purpose |
|---|---|---|---|
getKey(path) | DstackGuestRpc::GetKey | derive_key(app_id, path) | Derive deterministic key from path |
getQuote(reportData) | DstackGuestRpc::GetQuote | tdx_attest::generate_quote() | Generate TDX quote |
attest(reportData) | DstackGuestRpc::Attest | generate_quote() + RTMR log | Versioned attestation |
sign(data) | DstackGuestRpc::Sign | k256::sign() | Sign with app's K256 key |
verify(signature, data) | DstackGuestRpc::Verify | k256::verify() | Verify K256 signature |
getTlsKey() | DstackGuestRpc::GetTlsKey | Request cert from KMS | Get RA-TLS certificate |
emitEvent(event) | DstackGuestRpc::EmitEvent | extend_rtmr() | Extend RTMR3 with runtime event |
info() | DstackGuestRpc::Info | Read AppState | Get app info and TCB status |
SDK Packages:
| Language | Package | Installation | Implementation |
|---|---|---|---|
| Python | dstack-sdk | pip install dstack-sdk | sdk/python/ |
| JavaScript | @phala/dstack-sdk | npm install @phala/dstack-sdk | sdk/js/ |
| Rust | dstack-sdk | cargo add dstack-sdk | sdk/rust/ |
| Go | github.com/Dstack-TEE/dstack/sdk/go | go get | sdk/go/ |
Sources:
This introduction covered the high-level architecture and component mapping. For deeper information:
Sources:
Refresh this wiki
This wiki was recently refreshed. Please wait 4 days to refresh again.