> ## Documentation Index
> Fetch the complete documentation index at: https://docs.phala.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Deploy confidential applications with dstack — a TEE-based infrastructure platform.

# Overview

> [Phala Cloud](/) is the managed version of dstack deployment that enables developers to deploy programs to CVM (Confidential VM), and to follow the security best practices by default.

The dstack SDK simplifies deploying programs to CVMs (Confidential VMs) with security best practices built in. Explore [dstack's blockchain-verified computing](https://phala.com/dstack) capabilities and architecture. The main features include:

* Deploy any Docker container as a CVM on supported TEEs
* Generate remote attestation reports and visualize the chain of trust via Web UI
* Wrap HTTP services with automatic RA-HTTPS and content-addressed domains (`0xABCD.dstack.host`)
* Keep applications portable across hardware via decentralized Root-of-Trust key management

The following example shows how dstack works with a typical multi-container application configured with Docker Compose.

<Frame>
  <img src="https://mintcdn.com/phalanetwork-1606097b/57prl00-u-jQKn3n/images/dstack-cvm%20(1).png?fit=max&auto=format&n=57prl00-u-jQKn3n&q=85&s=83135271ccb857f0fe97dc3b11789f94" alt="" width="362" data-path="images/dstack-cvm (1).png" />
</Frame>

As the architecture shown below, multiple docker containers can run inside one single CVM. The underlying infrastructure we provide is to make sure the application is secure and verifiable.

Your containers use the `dstack` component to communicate with the underlying `tappd`. `dstack` sets up the CVM environment, handles remote attestation, and manages the lifecycle of all Docker containers running inside the CVM.

`tappd` communicates with a decentralized Key Management Service (KMS) that derives deterministic encryption keys for the application. These keys encrypt application-specific storage and protect data integrity. Because the KMS operates independently from any specific TEE instance, your applications avoid vendor lock-in and can be securely migrated between different hardware environments without data loss.

<Frame>
  <img src="https://mintcdn.com/phalanetwork-1606097b/57prl00-u-jQKn3n/images/dstack-cvm-arch.png?fit=max&auto=format&n=57prl00-u-jQKn3n&q=85&s=8193a9bc12e6245b55facbfbe8aed007" alt="dstack CVM architecture diagram showing the relationship between docker containers, dstack, tappd, and decentralized KMS" width="1566" height="666" data-path="images/dstack-cvm-arch.png" />
</Frame>

## Verify If An Application is Running Inside a TEE

When the application launches, dstack exports a Remote Attestation (RA) Report that cryptographically binds the application's runtime information — Docker image hash, startup arguments, and environment variables. The TEE hardware signs this report, and the application's own derived key co-signs it. Anyone can verify the report using standard TEE RA verification tools. For applications deployed on Phala Intel TDX workers, RA reports are exported and verified by default — use the [TEE Attestation Explorer](https://proof.t16z.com/) to inspect them.

## Conclusion

Ready to build? See [Getting Started](/phala-cloud/getting-started/overview) for deployment options.

For managed hosting without running dstack on your own hardware, use [Phala Cloud](/).