v0.28.0 — API docs & provider guide

Secure cloud compute from peers — at a fraction of the cost.

Millions of machines sit idle while demand for compute skyrockets. Vaporkernel turns that spare capacity into real Linux VMs — powered by peer-reviewed algorithms and a formally verified security model. No new data centers needed. 70% cheaper than AWS.

Get early access How it works

125 tests passing

9 Rust crates

28/28 phases complete

root@vapor-mesh — v0.28.0

# Deploy a VM to the global mesh (TLS 1.3 control plane)

$ vapor deploy --os ubuntu:24.04 \

--cpu 4 --ram 8g --region eu-west \

--ssh-key ~/.ssh/id_ed25519.pub

Authenticating via API key...

Scheduling on provider (tier: gold, score: 94)...

Injecting SSH key, booting micro-VM...

Establishing WireGuard tunnel...

[OK] Instance vk-a7f3e801 booted in 142ms

[OK] SSH key injected. Endpoint ready.

$ ssh [email protected]

Build progress

Performance audit complete. 125 tests passing.

26 / 26 phases done

Micro-VM Networking Snapshots Replication Marketplace Open Beta Security Ops SSH HA TLS Prod Audit Perf

How it works

Cloud computing, unchained.

We orchestrate idle hardware worldwide into a unified compute mesh. Deploy like AWS at a fraction of the cost.

Hardware joins the mesh

Providers install the Vaporkernel daemon. It benchmarks the system, passes resource verification challenges, and connects to the orchestrator without affecting host performance.

Intelligent scheduling

The orchestrator tracks capacity across the mesh with reputation scoring and HA failover. Workloads are matched to optimal nodes by resources, geography, and provider reliability.

Instant deployment

Choose your specs, pick an image, provide your SSH key. A real Linux VM with root access boots in under 200ms. Standard or Replicated tier for your redundancy needs.

Security model

Built for hostile environments.

Defense-in-depth across every layer. Multiple encryption and isolation controls protect your data. Hardware-enforced isolation via TEE is on the roadmap.

Hardware isolation

Guest workloads run inside KVM (Linux) or Apple HVF (macOS) micro-VMs with CPU-level process isolation. vCPU paused during snapshots for consistency. Snapshots encrypted with HKDF-derived AES-256-GCM keys. Full memory isolation from providers requires hardware TEE support (AMD SEV-SNP / Intel TDX), which is planned.

Cryptographic identity

Providers authenticate via Ed25519 challenge-response. API access uses SHA-256 hashed bearer tokens with per-customer rate limiting. SSH keys injected via secrets page — invisible to the provider. Epoch-based fencing prevents split-brain conflicts.

Encrypted everywhere

Data plane: WireGuard point-to-point tunnels. Control plane: TLS 1.3 via rustls (pure Rust). STUN/ICE handles NAT traversal. All traffic is WireGuard-encrypted between nodes. Full content isolation requires TEE hardware support (roadmap).

For engineers

Deploy like it's AWS.
Pay like it isn't.

Full Linux instances with root SSH access. Familiar CLI and REST API. A fraction of the cost because you're running on real-world hardware, not corporate margins.

OS imagesUbuntu, Alpine, Debian
AccessSSH, CLI, REST API (23 routes)
RedundancyStandard or Replicated Tier
RecoverySnapshots + Hot Standby

<200ms

VM boot time

<10MB

Hypervisor overhead

125

Tests passing

Active-passive failover

Technical specifications

Built from scratch in Rust.

No wrappers. No shims. The entire stack — hypervisor to CLI — is custom Rust.

Hypervisor: Dual-backend micro-VM (KVM on Linux, HVF on macOS ARM64), virtio-net, vmnet.framework, serial console, VcpuControl lifecycle (pause/resume/shutdown), and secrets page for secure SSH key injection.
Language: 9 Rust crates. Zero unsafe in the data plane. Cross-compiles to x86_64-linux-gnu.
Orchestrator: SQLite persistence (WAL), write-through, HA standby failover with epoch-based split-brain fencing, Ed25519 auth, token-bucket rate limiting.
Networking: WireGuard tunnels with STUN/ICE NAT traversal. TLS 1.3 (rustls) for control plane encryption. Edge ingress with hot-add listeners and exponential backoff reconnection.
Resilience: HKDF-derived AES-256-GCM encrypted snapshots with vCPU-paused memory capture. Dual-mode replication: 1s heartbeats + 30s compressed full memory sync with SHA-256 checksums.

Pricing

Simple, transparent pricing.

60–70% below AWS, DigitalOcean, and Hetzner. Providers earn 80% of every dollar.

Nano

$3/mo

1 vCPU
1 GB RAM
20 GB storage
Standard tier

Micro

$8/mo

1 vCPU
4 GB RAM
40 GB storage
Standard tier

Small

$18/mo

2 vCPU
8 GB RAM
80 GB storage
Standard tier

Medium

$40/mo

4 vCPU
16 GB RAM
160 GB storage
Standard tier

Replicated tier (N+1 hot standby) available at ~1.6x Standard pricing.

For providers

Your hardware. Your income.

Lease your idle CPU, RAM, and storage. Set it up once, earn passively. Resource throttling ensures your machine stays fast for your own use.

Step 01

Install daemon

One command. Automatic hardware detection and benchmarking.

Step 02

Pass verification

Resource challenges confirm real hardware. Ed25519 identity generated.

Step 03

Earn 80% revenue

Flat 80/20 split. Reputation scoring unlocks higher-tier instances.

Step 04

Track earnings

Real-time dashboard with instance count, uptime, and earnings.

Early access

The launch is imminent.

20 performance fixes across 5 crates. Hot-path allocation elimination in VMM TX/RX paths, lock batching, buffer reuse, redundant work removal. 125 tests, zero clippy warnings. Join the waitlist to be first on the mesh.