Deploy confidential applications in minutes.

The Privasys Developer Platform gives you everything you need to build, deploy, and manage applications running inside hardware-protected enclaves and confidential VMs. Focus on your code. We handle attestation, encryption, and verification.

The whole platform, from your terminal.

The privasys CLI drives everything you can do in the dashboard: sign in with your wallet, deploy WASM or container apps, manage keys in the vault, and verify hardware attestation. Attestation runs client-side: the CLI challenges the enclave directly over RA-TLS and checks the quote itself, so you never have to trust an intermediary.

Install

curl -fsSL https://raw.githubusercontent.com/Privasys/cli/main/install.sh | sh

Also available via Homebrew, Scoop, and .deb/.rpm packages, with a built-in privasys update. See the installation guide.

Agent-first by design

The CLI is also a Model Context Protocol server. Run privasys agents init and your AI agent can onboard you, deploy confidential apps, and verify them as native tools. Every command speaks JSON and returns stable exit codes, so it scripts cleanly in CI too.

Verify, don't trust

privasys attest challenges the enclave with a fresh nonce and verifies the TEE quote and the per-workload code hash. The data plane is direct: privasys apps call streams straight to the enclave over RA-TLS, with the control plane never in the path.

Two deployment targets. One platform.

Whether you are building a lightweight cryptographic module or a full-stack application, the platform matches you to the right confidential runtime.

WASM modules

Deploy lightweight WebAssembly modules inside Enclave OS Mini. Upload a pre-compiled .cwasm file, or link a GitHub repository and let our pipeline compile it for you. The smallest trust boundary available: just your code and the minimal runtime.

Containers

Run your existing containers inside Enclave OS Virtual. Standard Linux, standard tooling, with hardware-encrypted memory and full attestation. No rewrite needed. Bring your own image and deploy it on confidential infrastructure.

Attestation built in

Every deployment is automatically attested. RA-TLS certificates carry proof of what hardware, firmware, and application code is running. Your users verify the service during a standard TLS handshake, with no custom protocol or SDK.

Secrets management

Enclave Vaults provides hardware-protected key storage and secrets management. Keys are split using Shamir secret sharing, sealed to the enclave measurements, and never exist in cleartext outside the trust boundary.

Private images

Protect your IP as well as your data. Build privately, push to your own registry, and hand the platform a pull credential that only the attested in-enclave runtime can read. Privasys never sees your source, your image, or your token.

Agent-first CLI

The privasys CLI drives everything here, and it is also an MCP server. Wire it into Claude Code, Cursor, VS Code, or Gemini with one command and let your AI agent deploy, attest, and operate confidential apps for you.

From code to attested deployment in four steps.

1

Sign in with your organisation

Authenticate with your identity provider via OIDC. No new credentials to manage.

2

Create an application

Choose your deployment target: WASM module for Enclave OS Mini, or container image for Enclave OS Virtual.

3

Upload or link your code

Upload a pre-compiled .cwasm file, push a container image, or link a GitHub repository for automated builds.

4

Deploy and attest

Your application runs inside a hardware-protected enclave. Clients verify it with a single RA-TLS connection.

Open source. Fully auditable.

Every component of the Privasys stack is published under the AGPL-3.0 licence. The code that runs inside the enclave, the attestation server, the RA-TLS libraries, and this platform itself are all available for audit. Transparency is not optional. It is the foundation of trust.