KrovaKrova
Security

The most isolated way to run a real server

Every Cube is a hardware-isolated microVM with its own kernel and a per-cube sandbox, no public IP of its own, and Cloudflare-protected web traffic. Here's exactly how that works — and why it's safer than a container or a typical VPS.

Its own kernel. A sandbox around every Cube.

A container shares one kernel across every tenant on the host — a single kernel bug can expose all of them. Krova is the opposite by design.

Its own kernel, per Cube

Every Cube boots its own kernel — never shared with another tenant or the host. One Cube's kernel bug can't reach yours.

Per-cube jailer sandbox

Each Cube's hypervisor runs inside a jailer sandbox — its own unprivileged user, chroot, and PID namespace. A hypervisor escape lands in that sandbox, not as root on the host.

Hardware boundary, hardened host

Hardware-enforced KVM isolation (the same technology behind AWS Lambda), the most restrictive seccomp filters, and cross-VM memory-dedup side channels disabled.

KROVA — A KERNEL PER CUBECONTAINERS — ONE SHARED KERNELYour app + dataGuest userspace · your rootOwn kernel · Linux 6.11 per CubeKVM + jailer sandboxBare-metal hostapp 1app 2app 3one shared host kernelbare-metal host1 kernel bug → every tenant exposedEscape lands in an unprivileged sandbox — never host root.
INTERNETvisitors+ DDoS attacksCLOUDFLARE EDGETLS · hidden originDDoS L3/4/7 · 330+ citiesKROVA HOSTDDoS-mitigateddefault-deny fwCUBEprivate IPNO PUBLIC IPAttacks are absorbed at the edge — they never reach your server.

No public IP. Nothing to attack.

Every other host hands your server a public IP — a fixed address the whole internet can scan and hammer. Krova doesn't.

No public IP, period

Your Cube has no public IP of its own. It lives on a private, NAT'd network — there's simply no address out there for botnets to find and probe.

Cloudflare-protected, DDoS-absorbed

Web traffic on your custom domains is served entirely through Cloudflare's global edge: TLS, a hidden origin, and always-on, unmetered DDoS protection across layers 3, 4, and 7 on a 330+ city network.

Only what you open

Nothing inbound is reachable unless you explicitly open a port, and every mapping can be locked to an IP allowlist behind a stateful default-deny firewall. Hosts add provider-grade network DDoS mitigation on top.

“Wait — don't I need a public IP?”

For almost anything you'd run on a server, no — and not having one is the upgrade. What makes your app reachable is your domain and the ports you choose to expose, not a fixed address bolted to the whole machine. Your websites and APIs go out worldwide over HTTPS through Cloudflare; SSH, databases, and any other TCP service open through an IP-allowlistable port mapping, on demand. You get inbound access to exactly what you expose — without the public address the rest of the internet would spend all day scanning and attacking. Fewer doors, and all of them yours.

Automation

Provision with code. Run as many as you need.

Forget the AWS dance — VPC, subnet, security group, AMI, key pair, IAM role, launch template. A Krova Cube is one API call. Loop it to stand up as many as you want; each boots in milliseconds. No artificial cap — concurrency is unlimited on higher plans.

create-cube.sh
curl -X POST https://krova.cloud/api/v1/spaces/$SPACE/cubes \
  -H "X-API-KEY: $KROVA_KEY" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{
    "name": "web-1",
    "image": "ubuntu-24.04",
    "resources": { "vcpu": 2, "ramGb": 4, "diskGb": 40 },
    "sshPublicKey": "ssh-ed25519 AAAA...",
    "region": "eu-central"
  }'
Full v1 REST APIIdempotency keyscloud-init user-dataOpenAPI spec

Read the API reference →

PROVISION PROGRAMMATICALLYPOST /v1/cubes201 created · cube_1201 created · cube_2201 created · cube_3× as many as you needone request → one Cube · loop it · no cap

Run it where nothing's exposed.

Spin up a hardware-isolated Cube with no public IP and full root SSH in under a minute.

Start freeView pricing