Skip to content


Get started and install BastionLab Client and BastionLab Server.


Technical requirements

To install BastionLab Client and BastionLab Server, ensure the following are already installed in your system:

To install BastionLab Server, you'll also need:

Here's the Docker official tutorial to set it up on your computer.

Installing BastionLab Client

From PyPI

pip install bastionlab

From source

First, you'll need to clone BastionLab repository:

git clone
Then install the client library:
cd ./bastionlab/client
make dev-install

Installing BastionLab Server

From PyPI

For testing purposes only, BastionLab server can be installed using our pip package.


This package is meant to quickly setup a running instance of the server and is particularly useful in colab notebooks. It does not provide any mean to configure the server which makes certain features impossible to use (like authentication).

For production, please use the Docker image or install the server from source.

pip install bastionlab-server

Once installed, the server can be launched using the following script:

import bastionlab_server
srv = bastionlab_server.start()

And stoped this way:


Using the official Docker image

docker run -p 50056:50056 -d mithrilsecuritysas/bastionlab:latest

Configuring the Docker image

If you want to use a custom configuration file, you can do so with the following code block:

docker create -p 50056:50056 --name bastionlab-srv mithrilsecuritysas/bastionlab:latest
docker cp <your_updated_config>.toml bastionlab-srv:/app/bin
docker start bastionlab-srv

To serve as a reference, here's the default config.toml:

client_to_enclave_untrusted_url = ""
public_keys_directory = "keys/"
session_expiry_in_secs = 1500

By locally building the Docker image

Clone the repository and build the image using the Dockerfile:

git clone
cd ./bastionlab/server
docker build -t bastionlab:0.1.0 -t bastionlab:latest .
Then run a container based on the image:
docker run -p 50056:50056 -d bastionlab

Building the Docker image with GPU access


Visit the NVIDIA drivers page for downloading and installing the appropriate drivers. Reboot your system and make sure your GPU is running and accessible.

Install nvidia-container-runtime

For Debian-like systems or others.

Add the nvidia-container-runtime repository to your list of repositories:

# Get the GPG key
curl -s -L | \
  sudo apt-key add -
# Get the distribution
distribution=$(. /etc/os-release && echo $ID$VERSION_ID)
# Add repository to list
curl -s -L$distribution/nvidia-container-runtime.list | \
  sudo tee /etc/apt/sources.list.d/nvidia-container-runtime.list

sudo apt update
Install nvidia-container-runtime and restart docker service:
sudo apt install nvidia-container-runtime
sudo systemctl restart docker 

Build and run the image

Clone the repository and build the image using the Dockerfile:

git clone
cd ./bastionlab/server
docker build -t bastionlab:0.3.7-gpu -f Dockerfile.gpu.sev .
Then run a container based on the image, exposing the GPUs for use and with NVIDIA recommended flags:
docker run --gpus all --ipc=host --ulimit memlock=-1 --ulimit stack=67108864 -p 50056:50056 bastionlab:0.3.7-gpu

From source

Automated build

Before using the automated build, make sure to run it in a RHEL, Debian or Arch based linux distro. The script will detect on the run on which distro it is running.

The script must be ran inside the server's directory, it will check and install all the necessary dependencies to build the server, if needed, and then it will start building it.

git clone
cd bastionlab/server/
Environmental variables
  • If the LIBTORCH envar is already set, the script will use this path to build the server.
  • CUDA
  • If the CUDA envar is already set, the script will use this path to build the server.
  • It is to set the options for rustup installation (To choose the default host, toolchain, profile, ...).
    export INSTALL_RUST_OPT='--profile minimal --default-toolchain nightly'
  • If it is necessary to build the project as the root user, you need to set this variable before running the script.
  • If the variable is not set when running as root, the dependencies will be installed but the project will not be built.
    ./build # Running this as root will install the dependencies
    ./ # Running this as root and with the flag set will install AND build the server
  • If it is necessary to build the project using C++11, you need to set this variable before running the script.
  • It will install and setup C++11 before building.
    export BASTIONLAB_CPP11=1
Flow chart
%%{ init: { 'flowchart': { 'curve': 'stepBefore' } } }%%
flowchart LR
    subgraph PR[Privileges at run]
        direction LR
        z(Start) --> a
        a{Sudo privileges?} ==Yes==> b[Run as superuser]
        a -.No.-> c[Run as user] -.-> d{Dependencies\nmissing?}
        d -.Yes.-> b
    subgraph MF[Main flow]
        direction LR
        A[Install\ndependencies] ===> D{Ran script as user\nor flag\nBUILD_AS_ROOT is set?}
        D -.Yes.-> B
        B[Build server]
        D ==No==> C(End)
        B ---> C
        b ==> A
        d -.No.-> B
    PR === MF

Manual build

First make sure that the following build dependencies (Debian-like systems) are installed on your machine:

sudo apt-get update && apt-get -y install build-essential libssl-dev pkg-config curl unzip

Then, clone our repository:

git clone
Download and unzip libtorch (Pytorch's C++ backend) from Pytorch's website (you can chose the right build according to your cuda version):
cd ./bastionlab
curl -o $(. ./.env.vars && echo "${TORCH_CXX11_URL}")
Libtorch binaries are now available under the libtorch folder. You can now turn to building the server crates:
cd server
make build

To run the server, use:

make run