Skip to main content
At Tinfoil, we run everything that touches plaintext client data inside secure enclaves, from our AI models to the rest of our critical path. Tinfoil Containers makes the same infrastructure and security guarantees available for running your own applications. Tinfoil Containers run any Docker image inside an AMD SEV or Intel TDX secure enclave. The container’s memory is encrypted in hardware, isolated from the host, and invisible to Tinfoil. You and any client connecting to it can verify that fact themselves via remote attestation.
GPU workloads run inside NVIDIA confidential-computing enclaves with the same attestation. Contact us to enable GPU access for your org.

What’s public, what’s private

A Tinfoil Container deployment splits into two artifacts with different visibility rules:
  • The configuration (tinfoil-config.yml) must live in a public repo. Tinfoil reads it at deploy time to compute the enclave measurement, and your users’ SDKs read it (via the Sigstore transparency log) at request time to verify the running enclave matches what you published.
  • Your source code and Docker image can stay private. The config pins the image by SHA256 digest, and the attestation commits to that exact digest — Tinfoil doesn’t need to read your code to verify it. See Private images for registry credentials.
Anything that’s part of the measurement must be readable; anything that’s measured by the config doesn’t have to be.

Limitations

Tinfoil Containers have some limitations to work around when building on top of them:
  • No persistent disk. The enclave filesystem is a ramdisk. You can write to it, but everything is lost when the container restarts or redeploys.
  • No inbound private networking. Your container is reachable over the public internet. You’ll have to build in appropriate authentication yourself.
  • Single instance. Each container runs as one instance. There’s no built-in horizontal scaling or load balancing across multiple copies. You’ll have to manage that yourself.
  • No SSH access by default. Since your container runs in a secure enclave, you can’t shell into it by default. To troubleshoot, enable debug mode, which deploys a separate instance of your container with SSH access.
Debug containers do not pass attestation. Tinfoil’s SecureClient will refuse to connect to a debug instance because debug enclaves are not confidential. Never use debug mode for production traffic or sensitive data.

Getting started

Quickstart

Deploy your first container.

Example repo

A ready-to-deploy template that ships a working hello-world container with an env var and a secret.

Connecting to your container

SDK and CLI examples for making attested requests.

Configuration

Configuration reference

The full tinfoil-config.yml schema for runtime, resources, and routing.

Private images

Configure registry credentials so Tinfoil can pull private images.

Secrets & variables

Manage environment variables and encrypted secrets.

Custom domains

Use your own domain instead of the default .containers.tinfoil.dev URL.

Model weights

Prepare Hugging Face weights for GPU inference containers.

Operations

Deploying

The initial deployment lifecycle and how to delete a container.

Updating & lifecycle

Blue-green updates, rollback, cancel, and recovery.

Debug mode

SSH into a separate debug instance for troubleshooting.

Staging mode

Stage updates and promote them manually after testing.

CLI

Manage the full container lifecycle from the terminal.

Reference

Resource limits

CPU, memory, naming constraints, and org quotas.

Production checklist

Security, reliability, and deployment best practices.

Troubleshooting

Common issues and how to fix them.