Run anything, privately
At Tinfoil, we’ve been running all our AI models inside secure enclaves. Tinfoil Containers make the same infrastructure and security guarantees available for running your own workloads. With Tinfoil Containers, all you have to do is give us a Docker container and we run it in an AMD SEV or Intel TDX enclave. The runtime memory is encrypted in hardware, isolated from the host, invisible to Tinfoil. You and all clients connecting to your container can verify all of this themselves through remote attestation via our SDKs.Access to GPUs
GPUs are available too for your workloads if needed. They run inside the enclave using NVIDIA confidential computing, so GPU is attested just like the rest of the workload. Contact us to enable GPU access for your org.Tinfoil Containers in a nutshell
- Run any container in an enclave. If it runs as a Docker container, it will run in the enclave.
- Attestation and Pinning. Every container is attested and verifiable: pinned image digests, signed configs, transparency logs.
- Automatic verification. Using any Tinfoil SDK, you can make requests to your container with all attestation and verification performed automatically.
Debug mode
We provide the ability to spin up separate instances of Containers that have SSH access on their own domain, so you can troubleshoot without touching production instances. In debug mode, all attestation verification fails.Things to know
Tinfoil Containers have some limitations that you need to work around when building applications on top of them:- No persistent disk. The enclave filesystem is a ramdisk — you can write to it, but everything is lost when the container restarts or redeploys.
- No inbound private networking. Your container is reachable over the public internet. You’ll have to build in appropriate authentication yourself.
- Single instance. Each container runs as one instance. There’s no built-in horizontal scaling or load balancing across multiple copies. You’ll have to manage that yourself.
Getting started
Quickstart
Deploy your first container.
Example repo
A working example with a container, secrets, and routing.
Connecting to your container
Clients make attested requests using Tinfoil’sSecureClient. It verifies the enclave before sending any data — same attestation flow as Tinfoil’s inference API. See Connecting to Your Container for full SDK and CLI examples.
Documentation
Getting started
Quickstart
Deploy your first container.
Connecting to Your Container
SDK and CLI examples for making attested requests.
Configuration Reference
Full reference for tinfoil-config.yml — resources, containers, routing.
Managing your container
Secrets & Env Vars
Manage environment variables and encrypted secrets.
Deploying & Updating
Deployment lifecycle and blue-green updates.
Custom Domains
Use your own domain instead of the default .containers.tinfoil.dev URL.
Resource Limits & Quotas
CPU, memory, naming constraints, and org quotas.
Advanced
Debug Mode
SSH into a separate debug instance for troubleshooting.
Private Images
How attestation works with private code, and configuring private registries.
Operations
Production Checklist
Security, reliability, and deployment best practices.
Troubleshooting
Common issues and how to fix them.