Generate deterministic 256-bit keys from your application’s root key in the TEE. Keys are unique to your application ID, and the same input parameters always produce the same key.

Prerequisites

Your application must be running in the Phala Cloud TEE environment with access to the dstack socket. In your docker-compose.yml: 
services:
  app:
    # your app configuration
    volumes:
      - /var/run/dstack.sock:/var/run/dstack.sock

Quick Start

index.js
import { DstackClient } from '@phala/dstack-sdk';

const client = new DstackClient();
const result = await client.getKey('my-app/encryption/v1');
const keyBytes = result.key; // Uint8Array(32)

Parameters

  • path (required): Unique identifier for the key. Use forward slashes to organize: app-name/feature/version
The same path always generates the same key. Different paths generate different keys.
Advanced: Purpose ParameterThe getKey() method accepts an optional second parameter called purpose:
const result = await client.getKey('wallet/ethereum', 'mainnet');
This is equivalent to using a longer path: getKey('wallet/ethereum/mainnet'). The purpose parameter is purely for organization - use whichever approach feels cleaner to you.

Key Properties

  • Application-specific: Keys are derived from your app’s unique master key (tied to app ID)
  • Deterministic: Same path + purpose always generates the same key
  • Isolated: Different applications cannot derive each other’s keys
  • 32 bytes: Raw key material suitable for various cryptographic operations

Common Use Cases

The 32-byte key can be used as:
  • AES-256 encryption key
  • HMAC secret
  • Random number generator seed
  • Input for key derivation functions (KDF)
  • Signing key for custom protocols

Best Practices

  • Use descriptive paths: app-name/feature/version
  • Never log or expose keys outside TEE
  • Use different paths for different purposes
  • Version your keys in the path (e.g., /v1, /v2)

Migration from v0.3.x

If you’re upgrading from dstack v0.3.x, see the Migration from dstack v0.3 guide for breaking changes and upgrade instructions.