Skip to main content
Beta Feature — Tinfoil Containers is currently in beta. Contact us to get access.

Run anything, privately

At Tinfoil, we’ve been running all our AI models inside secure enclaves. Tinfoil Containers make the same infrastructure and security guarantees available for running your own workloads. With Tinfoil Containers, all you have to do is give us a Docker container and we run it in an AMD SEV or Intel TDX enclave. The runtime memory is encrypted in hardware, isolated from the host, invisible to Tinfoil. You and all clients connecting to your container can verify all of this themselves through remote attestation via our SDKs.

Access to GPUs

GPUs are available too for your workloads if needed. They run inside the enclave using NVIDIA confidential computing, so GPU is attested just like the rest of the workload. Contact us to enable GPU access for your org.

Tinfoil Containers in a nutshell

  • Run any container in an enclave. If it runs as a Docker container, it will run in the enclave.
  • Attestation. Every container is attested and verifiable: pinned image digests, signed configs, transparency logs.
  • Automatic verification. Using any Tinfoil SDK, you can make requests to your container with all attestation and verification performed automatically.

Debug mode

We provide the ability to spin up separate instances of Containers that have SSH access on their own domain, so you can troubleshoot without touching production instances. In debug mode, all attestation verification fails.

Things to know

Tinfoil Containers have some limitations that you need to work around when building applications on top of them:
  • No persistent disk. The enclave filesystem is a ramdisk — you can write to it, but everything is lost when the container restarts or redeploys.
  • No inbound private networking. Your container is reachable over the public internet. You’ll have to build in appropriate authentication yourself.
  • Single instance. Each container runs as one instance. There’s no built-in horizontal scaling or load balancing across multiple copies. You’ll have to manage that yourself.

Getting started

Quickstart

Deploy your first container.

Example repo

A working example with a container, secrets, and routing.

Connecting to your container

Clients make attested requests using Tinfoil’s SecureClient. It verifies the enclave before sending any data — same attestation flow as Tinfoil’s inference API. 
from tinfoil import SecureClient

# Create a client pinned to your container's enclave and source repo
client = SecureClient(
    enclave="my-api.acme.containers.tinfoil.sh",
    repo="acme/my-api",
)

# Attestation is verified automatically
response = client.get("https://my-api.acme.containers.tinfoil.sh/health")
print(response.status_code)
The client verifies the enclave is running the expected code from the pinned repo, then pins the TLS certificate for all subsequent requests. If anything doesn’t match, the connection fails.
Debug mode containers do not pass attestation. This is by design — debug enclaves trade confidentiality for inspectability.

Documentation

Getting started

Quickstart

Deploy your first container.

Configuration Reference

Full reference for tinfoil-config.yml — resources, containers, routing.

Managing your container

Secrets & Env Vars

Manage environment variables and encrypted secrets.

Deploying & Updating

Deployment lifecycle and blue-green updates.

Custom Domains

Use your own domain instead of the default .containers.tinfoil.sh URL.

Resource Limits & Quotas

CPU, memory, naming constraints, and org quotas.

Advanced

Debug Mode

SSH into a separate debug instance for troubleshooting.

Private Registry Auth

Pull images from private registries (ghcr, gcr, Docker Hub).

Operations

Production Checklist

Security, reliability, and deployment best practices.

Troubleshooting

Common issues and how to fix them.