Deploy Your First CVM

Deploy a Jupyter notebook to Phala Cloud and run code inside a TEE in under 10 minutes. You’ll use the CLI to deploy, then test key derivation and remote attestation from inside the secure environment.

Prerequisites

Node.js 18+ or Bun installed
A Phala Cloud account

Install the CLI

Install the Phala Cloud CLI globally:

npm install -g phala

Or use npx phala / bunx phala to run commands without installing.

Authenticate

The CLI supports device flow authentication—run the login command and follow the browser prompt:

phala login

⟳ Starting device flow authentication... ✓
ℹ Opening browser to complete authentication...
✓ Authentication successful!
  Logged in as: yourname
  Workspace: yourname's projects

Alternatively, generate an API key manually from the dashboard by clicking your username → API Tokens → Create Token, then authenticate with:

phala login --manual

Verify your authentication:

phala status

Deploy a Jupyter Notebook

Create a docker-compose.yml file:

services:
  jupyter:
    image: quay.io/jupyter/base-notebook
    ports:
      - 8080:8888
    volumes:
      - /var/run/dstack.sock:/var/run/dstack.sock
    environment:
      - GRANT_SUDO=yes
    user: root
    command: "start-notebook.sh --NotebookApp.token=${TOKEN}"

The dstack.sock volume mount enables your code to communicate with the TEE environment. Deploy with a name and access token:

phala deploy -c docker-compose.yml -n jupyter-notebook -e TOKEN=my-secret-token

{
  "success": true,
  "vm_uuid": "425f4f38-5c48-40c3-8a9c-1be22caba517",
  "name": "jupyter-notebook",
  "app_id": "d8d6db935df75104a825fb96b6bbbcfc8d1753ca",
  "dashboard_url": "https://cloud.phala.network/dashboard/cvms/..."
}

Access Your Notebook

Check deployment status:

phala cvms get jupyter-notebook

Once the status shows running, get the public URL:

phala cvms get jupyter-notebook --json | jq -r '.public_urls[0].app'

https://d8d6db935df75104a825fb96b6bbbcfc8d1753ca-8080.dstack-pha-prod3.phala.network

Open this URL in your browser. You’ll see a login page with a “Password or token” field—enter the token you set during deployment (my-secret-token in this example) and click Log in. View container logs if needed:

phala logs --cvm-id jupyter-notebook

Test TEE Functions

Once logged in, click Python 3 (ipykernel) under “Notebook” to create a new notebook. In the first cell, install the dstack SDK:

!pip install dstack-sdk

Run the cell with Shift+Enter. In a new cell, test TEE-native capabilities:

from dstack_sdk import DstackClient
import hashlib

client = DstackClient()

# Get TEE environment info
info = client.info()
print(f"App ID: {info.app_id}")
print(f"MRTD: {info.tcb_info.mrtd}")

# Derive a deterministic key
key_result = client.get_key("my-app/encryption/v1")
key_bytes = key_result.decode_key()  # 32 bytes
print(f"Derived key (hex): {key_result.key[:32]}...")

# Generate a TDX attestation quote
data = b"data-to-attest"
hash_value = hashlib.sha256(data).digest()
quote_result = client.get_quote(hash_value[:32])
print(f"Quote: {quote_result.quote[:64]}...")

Generate blockchain wallet addresses using TEE-derived keys. In a new cell, install the additional dependencies:

!pip install "dstack-sdk[all]"

Then in another cell:

from dstack_sdk import DstackClient, ethereum, solana

client = DstackClient()

# Derive Ethereum account
eth_key = client.get_key("ethereum/main")
eth_account = ethereum.to_account(eth_key)
print(f"ETH Address: {eth_account.address}")

# Derive Solana keypair
sol_key = client.get_key("solana/main")
sol_keypair = solana.to_keypair(sol_key)
print(f"SOL Address: {sol_keypair.pubkey()}")

Clean Up

When you’re done experimenting, delete the CVM to stop billing:

phala cvms delete jupyter-notebook

Other useful commands: phala cvms stop to pause without deleting, phala cvms start to resume, and phala cvms attestation to view the TEE attestation report.

Link Your Project for Faster Deploys

After deploying, link your local directory to the CVM so subsequent commands don’t need the CVM name:

phala link jupyter-notebook

This creates a phala.toml file in your project directory:

cvm_id = "d8d6db935df75104a825fb96b6bbbcfc8d1753ca"

Commit phala.toml to version control. Once linked, commands use the CVM from phala.toml automatically:

# These now target the linked CVM without specifying a name
phala deploy              # update the CVM
phala logs                # view logs
phala ssh                 # SSH into the CVM
phala cvms get            # check status

The recommended workflow:

First deploy: phala deploy -n my-app -c docker-compose.yml
Link: phala link my-app
Commit phala.toml to your repo
Subsequent deploys: just phala deploy

Next Steps

Deploy a custom application with your own Docker Compose file
Set up CI/CD for automated deployments
Learn about TEE attestation and verification

Phala Cloud

​Prerequisites

​Install the CLI

​Authenticate

​Deploy a Jupyter Notebook

​Access Your Notebook

​Test TEE Functions

​Clean Up

​Link Your Project for Faster Deploys

​Next Steps