Skip to main content
SSH access is only available with dev OS images. Select “dstack-dev” when creating your CVM. Production images have SSH disabled for security.
The easiest way to SSH into your CVM is with the Phala CLI. One command connects you through the secure gateway tunnel.

Prerequisites

  • Phala CLI (latest version)
  • CVM deployed with Development OS

Step 1: Configure SSH Keys

Start by adding your SSH keys in Account Settings > SSH Keys on the Phala Cloud dashboard. You can add keys manually or sync them from GitHub. All saved keys are automatically added to every new CVM you deploy. When creating a CVM, the SSH Authorization section lets you add an additional root password or public key specific to that instance. These are added alongside your account keys.
SSH keys are injected only at CVM creation time. Updating your account keys won’t affect already-deployed CVMs. To modify credentials on existing CVMs, use Code Update to set the DSTACK_ROOT_PASSWORD or DSTACK_ROOT_PUBLIC_KEY environment variables.

Step 2: Connect

# Connect using phala.toml configuration
phala ssh

# Or specify the CVM name directly
phala ssh my-cvm
That’s it. The CLI handles the gateway tunnel and SSH configuration automatically.

Useful Options

The phala ssh command supports several options: 
# Preview the SSH command without connecting
phala ssh my-cvm --dry-run

# Enable verbose output for debugging
phala ssh my-cvm -v

# Forward a local port to the CVM
phala ssh my-cvm -- -L 8080:localhost:80
See the CLI reference for all options.
If you prefer manual configuration or need to customize your setup, use phala ssh --dry-run to generate the SSH config:
phala ssh my-cvm --dry-run
This outputs a working SSH command you can adapt. The underlying mechanism uses OpenSSL to tunnel SSH through TLS:
Host my-cvm
    HostName <app-id>-22.<cluster>.phala.network
    User root
    Port 443
    ProxyCommand openssl s_client -quiet -connect %h:%p
Replace <app-id> with your application ID and <cluster> with your cluster (e.g., dstack-pha-prod7).macOS users: If you encounter connection timeouts, you may have LibreSSL instead of OpenSSL. Install OpenSSL via Homebrew and use the full path: /opt/homebrew/bin/openssl.Windows users: Install OpenSSL via Chocolatey (choco install openssl) and use the full path in ProxyCommand. Alternatively, use WSL where the Linux instructions work directly.

What You Can Do

Once connected, you have full access to debug and manage your CVM: 
# Check containers
docker ps -a
docker logs <container-name>

# Monitor resources
htop
docker stats

# Debug networking
curl http://localhost:8080
netstat -tulpn
Remember to switch to a Production OS image when you’re done debugging.

Troubleshooting

IssueSolution
Permission deniedCheck Account Settings for saved keys. For existing CVMs, use Code Update to set credentials.
Connection refusedConfirm you deployed with Development OS, not Production
Connection timeoutRun phala ssh -v to see detailed connection info
For more detailed troubleshooting, see Networking Troubleshooting.