← Field notes Connect wallet

The Darkroom privacy stack, layer by layer

8 min readDarkroom

Uncensored model, sealed room, unlinkable access. How Darkroom composes abliteration, confidential compute, envelope encryption and crypto payments into one private assistant.

Three properties, composed#

Darkroom is one claim made of three independent guarantees:

  • Uncensored — the model won't refuse or moralise.
  • Private — no human, including the operator, can see inside the room.
  • Unlinkable — nothing ties a session to your identity.

Each is a different layer. Defeating the product means defeating all three, and they're enforced by different mechanisms.

Layer 1: the model (uncensored)#

The room runs an abliterated open-weight model — the refusal direction removed from the weights, not prompted around. There's no guardrail to jailbreak because there's no refusal circuit left. See what is an abliterated model.

Layer 2: the room (private)#

The model runs inside an Intel TDX trust domain. The host — the operator, the cloud — cannot read the enclave's memory. The enclave attests to its exact code via a hardware quote, and your client verifies that quote before sending anything. See how TEE attestation works.

Layer 3: envelope sealing (end-to-end)#

Verification gives you the enclave's public key. Your prompt is sealed to it with X25519 key agreement → HKDF → AES-256-GCM — authenticated encryption to a key that only exists inside the measured enclave. The operator routes ciphertext. Decryption, inference, and re-encryption all happen inside the trust domain. Plaintext never touches the host.

Layer 4: access (unlinkable)#

No email, no account. You authenticate by signing a challenge with your Solana wallet (sign-in-with-Solana) and pay in USDC from your balance. There's no name, no card, no identity document anywhere in the flow. Your prompts run sealed and aren't logged in the clear, and saved history is encrypted to your key — so there's no readable record of what you asked for anyone to hand over.

Why the composition matters#

Most "private AI" products give you one layer and imply the rest. A no-logs policy is a promise, not a guarantee. A local model is private but weak and unverifiable. Darkroom's point is that each layer is independently checkable:

  • the model's behaviour is visible in use,
  • the room's code is pinned by its MRTD and verifiable by anyone,
  • the encryption is standard and open-source,
  • the payment rail is on a public chain you don't have to trust us about.

The honest limitations#

  • Abliteration removes a safety layer; responsibility moves to you.
  • A TEE protects against the operator and the host, not against a flaw in the published image — which is why the image is open and the MRTD is pinned.
  • Unlinkability is only as good as your wallet hygiene; an address you've doxxed is still you.

Private by construction, not by policy — and checkable at every layer. That's the whole design. Start in the room, or verify it first.

privacyconfidential computeSolanauncensored AI
Related
What is an abliterated model?
Abliteration removes the refusal direction from an open-weight LLM without retraining it. Here's how it works, why it differs from a jailbreak, and what it costs.
How TEE attestation works (Intel TDX, plain English)
Remote attestation is how a server proves what code it's running before you trust it with a secret. A practical walk through Intel TDX, DCAP, MRTD, and report data.
The Darkroom API: uncensored, OpenAI-compatible, crypto-paid
Point any OpenAI SDK at Darkroom and get uncensored, sealed inference — no signup, no KYC, paid in USDC. Curl and Python in under a minute.
Open a sealed room →More field notes