dstack
An open framework for deploying AI applications with cryptographic privacy guarantees using confidential VMs and GPUs.
What is dstack?
dstack is an open framework for confidential AI that allows developers to deploy AI applications with cryptographic privacy guarantees. It runs containers inside confidential virtual machines (Intel TDX) with native support for NVIDIA Confidential Computing, ensuring data remains encrypted in memory and inaccessible to the host. Users can cryptographically verify exactly what code is running, providing a trustless alternative to traditional AI deployments.
AI developers, infrastructure engineers, and organizations needing to deploy sensitive AI workloads with verifiable privacy guarantees, such as those in healthcare, finance, or research.
Developers choose dstack because it offers a full-stack solution for confidential AI out of the box, including automatic attestation, per-app key derivation, and Docker-native workflows, without the manual complexity of cloud provider primitives. Its open-source nature and support for hardware-rooted security provide a verifiable and trustless alternative to proprietary AI hosting.
Overview
Open framework for confidential AI
Use Cases
Best For
- Deploying sensitive AI models where data privacy is critical
- Running inference workloads with NVIDIA H100 or Blackwell GPUs in a confidential environment
- Organizations requiring cryptographic verification of AI application integrity
- Self-hosting AI infrastructure on Intel TDX-capable servers
- Implementing multi-party approval for AI model updates
- Building trustless AI services for industries like healthcare or finance
Not Ideal For
- Projects deployed on cloud providers without Intel TDX or NVIDIA Confidential Computing support
- Teams needing to run non-AI containerized applications without security overhead
- Organizations with limited infrastructure expertise for managing TEE hardware
- Applications requiring ultra-low latency where even minimal TEE overhead is unacceptable
Pros & Cons
Pros
Deploy existing Docker Compose configurations without modifications, as highlighted in the 'Zero friction onboarding' section, reducing integration effort.
Leverages Intel TDX and NVIDIA Confidential Computing to encrypt data in memory, ensuring isolation from the host and protecting sensitive AI workloads.
Provides workload identity attestation, allowing users to verify code integrity cryptographically, addressing trust issues in AI deployments.
Combines key management, attestation, and governance in a single framework, avoiding vendor lock-in and manual tooling as per the philosophy.
Native integration with NVIDIA H100 and Blackwell GPUs for confidential AI inference, protecting model weights and data in GPU memory.
Cons
Currently only supports Intel TDX and specific NVIDIA GPUs; AMD SEV-SNP is planned but not available, restricting deployment flexibility.
Requires understanding of TEE concepts, attestation, and complex deployment procedures for self-hosting, which can be daunting for teams new to confidential computing.
As a specialized framework, it has fewer community tools and integrations compared to mainstream container orchestrators like Kubernetes.
Managing reproducible OS images, on-chain governance, and bare-metal TDX hosts adds layers of complexity over standard Docker deployments.
Frequently Asked Questions
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.