Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.teesql.com/llms.txt

Use this file to discover all available pages before exploring further.

TeeSQL is managed PostgreSQL 17 running inside Intel Trust Domain Extensions (TDX) Confidential Virtual Machines (CVMs), orchestrated by dstack. Every connection is a mutual Remote Attestation TLS (RA-TLS) handshake, so the database proves its identity to your application before any SQL flows.

The problem

Every managed database asks you to trust the operator. Cloud providers, DBAs, and anyone with access to the host can read your tables in the clear, because rows live decrypted in memory while queries run. “Encryption at rest” stops cold-disk theft; it does not stop the operator.

TeeSQL’s answer

TeeSQL closes that gap with hardware. Postgres runs inside an Intel TDX CVM, so memory is encrypted by the CPU and unreadable from the hypervisor, host OS, or cloud provider. The data disk is sealed with LUKS2 using a key derived inside a separate Key Management Service (KMS) TEE and bound to the CVM’s attested identity; backups are AES-256-GCM encrypted inside the TEE before export. The CVM has no shell, no root, no SSH — a sidecar terminates RA-TLS and is the only path into Postgres.

Who it’s for

  • TEE application developers shipping confidential apps on dstack, Phala Cloud, iExec, or Secret Network who need a real database for the secrets their users hand them
  • Teams building on Solidity, Rust, or TypeScript inside CVMs who already attest their compute and want to extend that trust boundary to storage
  • Anyone migrating from a managed Postgres who wants the same wire protocol, drivers, and extensions without granting the operator plaintext access

How it’s different

Traditional Managed DBTeeSQL
Encrypted in transit
Encrypted at rest
Encrypted in use (memory)
Operator can read your dataYesNo
Cryptographic proof of integrityNoYes
Client-verifiable trustNoYes
Memory encryption is enforced by Intel TDX. Integrity and client verification come from the TDX attestation quote and the RTMR1/RTMR2/RTMR3 measurements checked during the RA-TLS handshake.

Current status

TeeSQL is in early access. Sign up on the waitlist for the trial at launch.

Next steps

Quickstart

Create a database and run your first attested query.

Security & Trust

How TDX, RA-TLS, and the KMS keep the operator out.
Last modified on May 1, 2026