Integration Security Architecture

End-to-end security in confidential computing requires seamless integration between the VMM, key management, and network gateway components. dStack VMM is designed to work hand-in-hand with dstack-kms and dstack-gateway, ensuring that every connection, key, and certificate is rooted in hardware-backed trust and policy enforcement. This section details how these integrations work to provide a unified, secure platform for confidential workloads.

Why Integration Security Matters

No single component can provide complete security in isolation. By integrating KMS for key management, gateway for secure connectivity, and robust certificate management, dStack VMM creates a holistic security architecture that spans the entire workload lifecycle—from launch to decommission.

KMS Integration Security

The VMM integrates with KMS instances using RA-TLS connections, enabling mutual authentication using TDX quotes. Key derivation uses application-specific identifiers derived from TDX measurements, ensuring cryptographic isolation even for applications running on the same host. For a full explanation of the key derivation process and API usage, see the getAppKey documentation. The platform supports both ephemeral keys for stateless workloads and persistent keys for applications that require continuity.

Gateway Communication Security

All external communication is routed through the dstack-gateway component, which manages TLS termination and certificate validation. Gateway endpoints are selected dynamically based on the VM and host configuration, following the logic in app.rs#L467. The gateway verifies TDX quotes for all incoming connections and only forwards traffic to confidential VMs that have successfully attested. This provides strong network-level isolation while enabling external access to authorized workloads.

Certificate Management

TLS certificates are generated via KMS-signed certificate signing requests, creating a PKI hierarchy rooted in hardware-protected keys. The VMM validates certificate chains during connection setup to ensure that all endpoints are cryptographically authenticated. Certificate lifecycle management—including automatic renewal and revocation—is managed through the KMS RPC interface (see the rpc interface documentation).

Supporting Documentation

Next Component: Explore how the VMM integrates with KMS for secure key management and attestation verification.