Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.phala.com/llms.txt

Use this file to discover all available pages before exploring further.

Generate deterministic 256-bit keys from your application’s root key in the TEE. Keys are unique to your application ID, and the same input parameters always produce the same key.

Prerequisites

Your application must be running in the Phala Cloud TEE environment with access to the dstack socket. In your docker-compose.yml: 
services:
  app:
    # your app configuration
    volumes:
      - /var/run/dstack.sock:/var/run/dstack.sock

Quick Start

index.js
import { DstackClient } from '@phala/dstack-sdk';

const client = new DstackClient();
const result = await client.getKey('my-app/encryption/v1');
const keyBytes = result.key; // Uint8Array(32)

Parameters

  • path (required): Unique identifier for the key. Use forward slashes to organize: app-name/feature/version
The same path always generates the same key. Different paths generate different keys.
Advanced: Purpose ParameterThe getKey() method accepts an optional second parameter called purpose:
const result = await client.getKey('wallet/ethereum', 'mainnet');
The purpose parameter is purely for organization and signature chain management. It doesn’t affect the returned key material (only path participates in key derivation). getKey() returns an ECDSA-based signature chain where purpose is hased into the signed message to isolate the namespace. Please leave it empty it if you are not sure what it does.

Key Properties

  • Application-specific: Keys are derived from your app’s unique master key (tied to app ID)
  • Deterministic: Same path always generates the same key
  • Isolated: Different applications cannot derive each other’s keys
  • 32 bytes: Raw key material suitable for various cryptographic operations

Common Use Cases

The 32-byte key can be used as:
  • AES-256 encryption key
  • HMAC secret
  • Random number generator seed
  • Input for key derivation functions (KDF)
  • Signing key for custom protocols

Best Practices

  • Use descriptive paths: app-name/feature/version
  • Never log or expose keys outside TEE
  • Use different paths for different purposes
  • Version your keys in the path (e.g., /v1, /v2)

Migration from v0.3.x

If you’re upgrading from dstack v0.3.x, see the Migration from dstack v0.3 guide for breaking changes and upgrade instructions.