Deploying Trusted Execution Environments (TEEs) with Alith and Phala Network

Introduction

As privacy and security become central to modern application design, Trusted Execution Environments (TEEs) have emerged as a critical solution for secure computation. In this blog, we walk through how to build and deploy a TEE-enabled application using the Alith framework and Phala Network, leveraging Phala Cloud for production-grade deployment.

This guide is based on our recent workshop where we demonstrated the step-by-step deployment of a secure, fastAPI-based TE service.

What Is a Trusted Execution Environment (TEE)?

A TEE is a secure area of a CPU that guarantees the code and data loaded inside to be protected with respect to confidentiality and integrity. Even privileged software such as the operating system or hypervisor cannot tamper with the code or data inside the TEE.

Use cases include:

• Secure key management
  
• Private smart contracts
  
• Confidential machine learning
  
• Remote attestation and proof generation
  

Why Use Alith for TEEs?

Alith natively supports TEE operations including:

• Key derivation: Generate and manage cryptographic keys securely.
  
• Remote attestation: Generate cryptographic proofs (e.g., Intel TDX quote).
  
• Support for multiple TEE backends: Including Marlin (local testing) and Phala (production deployment).
  
  

For quick iteration, developers can start with the Marlin simulator locally. But for real-world, cloud-based, confidential compute needs, Phala Network is the recommended provider.

Running TEE with Phala Cloud

Prerequisites

• Docker installed and running
  
• A Phala Cloud account (provides $400 in free credits upon adding a payment method)
  
• Python 3.12+
  
• Alith and fastapi packages
  
• GitHub repo: Workshop Example Repo
  
  

Choosing Your TEE Provider: Why Phala (and What Else You Can Use)

In our workshop, we chose Phala Network as the default TEE provider. Phala is a Web3-native project that supports trusted hardware, makes deployment straightforward via Phala Cloud, and even offers $400 in free credits upon adding a payment method (which covers most basic usage — with ~$30/month beyond that).

However, Phala is not mandatory. You’re free to choose alternative TEE backends, such as GCP or your own infrastructure, as long as they support the required TEE features and remote attestation.

In fact, we encourage teams to consider:

• Running their own TEE infrastructure (similar to managing their own RPC nodes)
  
• Deploying our reference implementation directly
  
• Customizing the business logic or setup to suit their use case
  
  

💡 Important: If your usage exceeds the Phala free tier, you’ll need to cover the extra cost. Be sure to monitor this and evaluate whether your current architecture might be over-engineered for early testing.

That said, it’s important to remember: LazAI is still in the testnet phase, and the current Phala free tier is generally sufficient for most basic usage scenarios. If you’re hitting usage limits early, it’s worth reviewing whether your current architecture is over-engineered for this stage.

The TEE layer is critical to the LazAI network as it ensures data trust and verifiability. Clear communication of cost and flexibility is essential for builders working with this setup.

Step-by-Step Walkthrough

1. Clone the Repo and Set Up

git clone https://github.com/your-org/tee-workshop-demo.git

cd tee-workshop-demo

python -m venv venv

source venv/bin/activate

pip install -r requirements.txt
‍

2. Run the Local TEE Simulator (for testing)

Download and unzip the simulator:

wget https://github.com/Leechael/tappd-simulator/releases/download/latest/tappd_simulator.zip

unzip tappd_simulator.zip

./tappd_simulator

Set the environment variable:

export DSTACK_SIMULATOR_ENDPOINT=/tmp/tappd.sock

Run the FastAPI server:

python main.py

Test endpoints locally:

curl http://localhost:8000/health

curl -X POST http://localhost:8000/te_operations
‍

3. Dockerize the Application

Build and tag the Docker image:

docker build -t your-docker-id/allet-te-demo:1.0.0 .

docker push your-docker-id/allet-te-demo:1.0.0
‍

4. Deploy to Phala Cloud

Create a docker-compose.yml like the one below:

services:

  app:

    image: your-docker-id/allet-te-demo:1.0.0

    container_name: allet-te-demo

    ports:

      - "8000:8000"

    volumes:

      - /var/run/tappd.sock:/var/run/tappd.sock

Then go to Phala Cloud Console, paste your Docker Compose config, and click Deploy.

Once deployed, test the live endpoint:

curl https://your-phala-instance.phala.network:8000/health

curl -X POST https://your-phala-instance.phala.network:8000/te_operations

What Happens Behind the Scenes?

Here’s how the key functions work with Alith and Phala:

from alith.tee.phala import TappdClient

client = TappdClient()

# Key derivation

key_result = client.derive_key("unique-id")

print(key_result.key)  # Private key (PEM format)

print(key_result.certificate_chain)  # Certificate

# Generate TDX quote

quote_result = client.tdx_quote(report_data="some-data")

print(quote_result.quote)

print(quote_result.event_log)

Summary

By using Alith with Phala Cloud, developers can easily:

• Create privacy-preserving applications
  
• Deploy scalable, production-ready TEEs
  
• Focus on innovation without managing low-level enclave infrastructure
  

This workshop showcased how fast it is to build, dockerize, and deploy TEEs using familiar Python tools and modern confidential compute backends.

For more workshops and agent-building tutorials, check out our YouTube channel and stay tuned every Thursday.