Command: phala deploy
Syntax
Description
Deploy new CVM or update existing oneOptions
| Option | Description |
|---|---|
--cvm-id <value> | CVM identifier (UUID, app_id, instance_id, or name) |
-i, --interactive | Enable interactive mode |
-n, --name <value> | CVM name (defaults to directory name) |
-c, --compose <value> | Path to Docker Compose file (default: docker-compose.yml) |
-t, --instance-type <value> | Instance type (e.g., tdx.small, auto-selected if omitted) |
-r, --region <value> | Preferred region (e.g., us-west, auto-selected if omitted) |
-e, --env <value> | Environment variable (KEY=VALUE) or env file path (repeatable) |
--kms <value> | KMS type: phala (default), ethereum/eth, or base |
--wait | Wait for deployment/update completion |
--ssh-pubkey <value> | SSH public key path (default: ~/.ssh/id_rsa.pub) |
--dev-os, --no-dev-os | Use dev OS image (requires SSH key) |
--public-logs, --no-public-logs | Make CVM logs publicly accessible (default: true) |
--public-sysinfo, --no-public-sysinfo | Make CVM system info publicly accessible (default: true) |
--listed, --no-listed | List CVM on the public Trust Center (default: false) |
Multisig / Two-Phase Options
For on-chain KMS (Ethereum/Base) with multisig contract owners. See Multisig Update Flow.| Option | Description |
|---|---|
--prepare-only | Prepare update without on-chain operations. Outputs compose hash and commit token for multisig approval. |
--commit | Commit a previously prepared update using a commit token. |
--token <value> | Commit token from --prepare-only output |
--compose-hash <value> | Compose hash (optional, auto-read from token) |
--transaction-hash <value> | Transaction hash proving on-chain registration (optional, defaults to state-only check) |
Advanced Options
| Option | Description |
|---|---|
--debug | Enable debug logging |
--disk-size <value> | Disk size with unit (e.g., 50G, default: 40GB) |
--fs <value> | Filesystem type (ext4 or zfs, default: zfs) |
--image <value> | OS image version (auto-selected if omitted) |
--node-id <value> | Node ID (auto-selected if omitted) |
--custom-app-id <value> | Custom App ID (requires —nonce for PHALA KMS) |
--nonce <value> | Nonce for deterministic app_id (requires —custom-app-id, PHALA KMS only) |
--pre-launch-script <value> | Path to pre-launch script |
--private-key <value> | Private key for signing transactions. |
--rpc-url <value> | RPC URL for the blockchain. |
Deprecated Options
| Option | Description |
|---|---|
--uuid <value> | [DEPRECATED] Use —cvm-id instead. CVM UUID. |
--vcpu <value> | Use —instance-type instead |
--memory <value> | Use —instance-type instead |
--env-file <value> | Use -e instead |
--kms-id <value> | Use —kms instead |
Global Options
| Option | Description |
|---|---|
-h, --help | Show help information for the current command |
-v, --version | Show CLI version |
--api-token TOKEN, --api-key TOKEN | API token used for authentication |
-j, --json, --no-json | Output in JSON format |
--api-version <value> | API version to use (e.g. 2025-10-28, 2026-01-21) |
Examples
- Deploy new CVM
- Deploy with environment variables
- Deploy with env file
- Deploy with specific instance type
- Deploy to specific region
- Deploy with Ethereum KMS
- Update existing CVM by ID
- Update CVM with new compose file and env
- Update CVM and wait for completion
- Update CVM from phala.toml
- Deploy with logs and sysinfo disabled
- Deploy and list on Trust Center
- Update existing CVM to disable logs
Multisig Update Flow
When the on-chain KMS contract owner is a multisig wallet, the CLI cannot complete the on-chain transaction in a single operation. Use the two-phase flow:- Phase 1: Prepare the update (generate commit token)
- Phase 2: After multisig approval and on-chain registration, commit the update
--transaction-hash can be omitted (defaults to state-only check).
- With explicit transaction hash
- You can also commit via the API directly
--prepare-only output).