This document provides a high-level introduction to the dstack confidential computing framework. It covers the core concepts, system architecture, and component interactions necessary to understand how dstack enables confidential AI deployments with hardware-rooted security guarantees.
For detailed information about specific aspects of dstack:
dstack is an open-source framework for deploying confidential AI applications inside Trusted Execution Environments (TEEs) with cryptographic verification. It enables developers to run Docker containers inside Intel TDX Confidential Virtual Machines (CVMs) with optional NVIDIA GPU isolation, providing hardware-level privacy guarantees that are independently verifiable by end users.
Key characteristics:
| Aspect | Description |
|---|---|
| Zero-friction onboarding | Standard docker-compose.yaml files work as-is with no code changes |
| Hardware-rooted security | Intel TDX provides memory encryption; NVIDIA H100/Blackwell GPUs provide confidential computing |
| Cryptographic verification | Every CVM generates TDX attestation quotes that users can verify independently |
| Deterministic key derivation | Keys are derived from hardware measurements and never exposed to operators |
| On-chain governance | Authorization policies enforced via Ethereum smart contracts |
For a detailed explanation of dstack's purpose and use cases, see What is dstack?
Sources: README.md21-42 docs/deployment.md1-11
A TEE is a hardware-isolated execution environment that protects code and data from external access, including the host operating system and hypervisor. dstack uses Intel TDX (Trust Domain Extensions), which provides:
dstack runs applications inside CVMs—virtual machines with TEE protection. Each CVM:
Attestation is the process of cryptographically proving what software is running inside a TEE. dstack implements RA-TLS, which embeds attestation quotes directly into TLS certificates:
RA-TLS implementation: ra-tls/src/lib.rs
Attestation verification: dstack-attest/src/lib.rs
Sources: docs/deployment.md162 high-level diagram 2
dstack implements hierarchical key derivation where:
Key types:
| Key Type | Derivation Context | Purpose |
|---|---|---|
| App CA P256 | app_id + "app-ca" | Certificate authority for app's TLS certs |
| Disk Encryption Key | app_id + instance_id | LUKS2 disk encryption |
| Environment Key X25519 | app_id | Decrypt Docker secrets |
| App K256 Key | app_id + "app-key" | Ethereum-compatible signing |
Sources: kms/src/lib.rs high-level diagram 4
dstack consists of four core components that run across the host-CVM boundary:
Sources: Cargo.toml16-56 high-level diagram 1
The VMM runs on the bare-metal TDX host and orchestrates CVM lifecycle:
target/release/dstack-vmmvmm.tomldstack-vmm-rpc on port 9080App at vmm/src/app.rsVmWorkDir at vmm/src/app/vm_workdir.rsKey responsibilities:
docker-compose.yaml files into normalized formatsupervisor process managerFor detailed VMM documentation, see Virtual Machine Manager (VMM)
Sources: vmm/src/main.rs vmm/src/app.rs Cargo.toml27
The KMS runs inside its own CVM and acts as the trust anchor:
target/release/dstack-kmskms.tomldstack-kms-rpc on port 9201 (RA-TLS)KmsState at kms/src/lib.rsRpcHandler at kms/src/rpc_impl.rsKey responsibilities:
auth-api (blockchain or config-based)For detailed KMS documentation, see Key Management System (KMS)
Sources: kms/src/main.rs kms/src/lib.rs Cargo.toml17
The Gateway runs inside a CVM and provides external-facing ingress:
target/release/dstack-gatewaygateway.tomldstack-gateway-rpc on port 9202 (HTTPS + RA-TLS)Proxy at gateway/src/lib.rsProxyState and ProxyInner at gateway/src/state.rsKey responsibilities:
wavekv::KvStorecertbot::DistributedCertBotFor detailed Gateway documentation, see dstack Gateway
Sources: gateway/src/main.rs gateway/src/lib.rs Cargo.toml29
The guest agent runs inside every CVM (KMS, Gateway, and application CVMs):
target/release/dstack-guest-agentguest-agent.tomldstack-guest-agent-rpc on port 9205DstackGuestRpc at guest-agent/rpc/proto/dstack_guest.proto/var/run/dstack.sockKey responsibilities:
tdx-attest crateFor detailed guest agent documentation, see Guest Agent
Sources: guest-agent/src/main.rs guest-agent/rpc/proto/dstack_guest.proto Cargo.toml25-26
dstack components communicate using multiple protocols optimized for different use cases:
Sources: Cargo.toml89 Cargo.toml172 high-level diagram 3
| Service | Port | Protocol | Purpose |
|---|---|---|---|
dstack-vmm | 9080 | HTTP | VM management API |
dstack-kms | 9201 | RA-TLS | Key provisioning with attestation |
dstack-gateway | 9202 | HTTPS + RA-TLS | Public ingress + internal mesh |
dstack-gateway | 8000 | HTTP | Admin/debug interface |
dstack-guest-agent | 9205 | HTTP | Guest RPC service |
host-api | VSOCK 2:10000 | VSOCK | Host-to-guest API |
Sources: vmm/src/main.rs kms/src/main.rs gateway/src/main.rs guest-agent/src/main.rs
All internal RPC communication uses prpc (Protocol Buffers RPC):
.proto files in */rpc/proto/ directoriesprpc-build generates Rust code at compile timeprpc::server::RpcServiceExample RPC services:
| Crate | Proto File | Generated Trait |
|---|---|---|
dstack-vmm-rpc | vmm/rpc/proto/vmm.proto | VmmRpc |
dstack-kms-rpc | kms/rpc/proto/kms.proto | KmsRpc |
dstack-gateway-rpc | gateway/rpc/proto/gateway.proto | GatewayRpc |
dstack-guest-agent-rpc | guest-agent/rpc/proto/dstack_guest.proto | DstackGuestRpc |
Sources: Cargo.toml215-216 vmm/rpc/build.rs kms/rpc/build.rs
The dstack codebase is organized as a Cargo workspace with 42 member crates:
Sources: Cargo.toml16-56
The workspace dependencies are organized in Cargo.toml59-248:
| Category | Key Dependencies | Purpose |
|---|---|---|
| Internal | ra-rpc, ra-tls, dstack-attest, tdx-attest | Core functionality |
| Networking | tokio, hyper, reqwest, bollard | Async I/O and HTTP |
| Cryptography | p256, k256, ed25519-dalek, rustls, ring | Key operations and TLS |
| Serialization | serde, prost, bincode, toml | Data encoding |
| RPC | prpc, prpc-build | Protocol Buffers RPC |
Sources: Cargo.toml59-248
Applications inside CVMs interact with the guest agent via language-specific SDKs:
Available SDKs:
| Language | Package | Location |
|---|---|---|
| JavaScript/TypeScript | @phala/dstack-sdk | sdk/js/ |
| Python | dstack-sdk | sdk/python/ |
| Rust | dstack-sdk | sdk/rust/ |
| Go | github.com/Dstack-TEE/dstack/sdk/go | sdk/go/ |
For SDK documentation, see SDK and Client Libraries
Sources: sdk/README.md guest-agent/rpc/proto/dstack_guest.proto high-level diagram 6
dstack supports two deployment modes with different security guarantees:
Characteristics:
Use case: Local development and testing only
Configuration: docs/deployment.md27-93
Characteristics:
auth-api webhook (blockchain or config-based)Architecture:
Use case: Production deployments with verifiable security
Configuration: docs/deployment.md95-486
For complete deployment instructions, see Getting Started and Deployment and Operations
Sources: docs/deployment.md1-564 high-level diagram 5
dstack supports multiple authorization backends for boot approval:
When a CVM requests boot, the following sequence occurs:
RequestBootAuthorization with AppBootInfoauth-api webhook (e.g., POST /bootAuth/app)| Backend | Description | Configuration |
|---|---|---|
| auth-simple | Config file-based whitelisting | JSON file with MRs, devices, compose hashes |
| auth-eth | Ethereum smart contract governance | DstackKms and DstackApp contracts |
| Custom | Implement webhook interface | POST /bootAuth/app and POST /bootAuth/kms |
Smart contracts:
For on-chain governance setup, see On-Chain Governance and docs/onchain-governance.md
Sources: docs/deployment.md178-264 docs/onchain-governance.md1-190 kms/auth-eth/
dstack implements a defense-in-depth security model with multiple verification layers:
Key security properties:
For detailed security analysis, see Security Model and Trust Boundaries and docs/security/security-model.md
Sources: README.md78-80 docs/security/security-model.md high-level diagram 2
To continue learning about dstack:
For developers:
For operators:
For contributors:
Refresh this wiki