Everything you need to know about BoxLite sandboxing
BoxLite is an embeddable micro-VM runtime that provides hardware-isolated sandboxes for running untrusted code safely. Unlike Docker (shared kernel), BoxLite gives each sandbox its own kernel. It boots in sub-seconds, supports OCI/Docker images, runs on macOS Apple Silicon and Linux, and requires no daemon or root access. Available for Python, Rust, and C.
BoxLite is an embeddable virtual machine runtime for secure, isolated execution environments. It lets you run AI agents and untrusted code in hardware-isolated micro-VMs—each sandbox has its own kernel, providing stronger isolation than containers. Following the SQLite philosophy, it requires no daemon and can be imported directly into your application.
Docker containers share the host kernel using Linux namespaces, meaning a container escape vulnerability could compromise your system. BoxLite uses hardware virtualization (micro-VMs) to create true isolation boundaries—each sandbox runs its own kernel, making escape virtually impossible. Use Docker for trusted workloads; use BoxLite when running untrusted code like AI-generated scripts.
BoxLite boots in sub-second time thanks to libkrun's lightweight micro-VM architecture. Unlike traditional VMs that take 10-30 seconds, BoxLite provides near-instant sandbox availability. Combined with layer caching for OCI images, subsequent sandbox creations are even faster.
Yes! BoxLite is fully OCI-compatible. You can use any Docker image from Docker Hub, GitHub Container Registry (GHCR), Amazon ECR, or any OCI-compliant registry. BoxLite pulls and caches image layers efficiently, so repeated use of the same base image is very fast.
BoxLite supports macOS on Apple Silicon (M1/M2/M3/M4) using Hypervisor.framework, and Linux on both x86_64 and ARM64 architectures using KVM. Windows is not currently supported. On Linux, you need KVM access (/dev/kvm).
No! Unlike Docker which typically requires root or a daemon running as root, BoxLite runs as a regular user. On Linux, you just need access to /dev/kvm (usually by being in the 'kvm' group). On macOS, no special permissions are needed.
BoxLite provides official SDKs for Python (3.10+), Rust (native), and C. A Node.js SDK is in development. The Python SDK is available on PyPI (`pip install boxlite`), making it easy to integrate into AI agent frameworks, Jupyter notebooks, and production applications.
Firecracker (AWS) is a minimal hypervisor optimized for serverless workloads. BoxLite builds on similar micro-VM technology but provides a higher-level, user-friendly API with out-of-the-box OCI image support, container lifecycle management, and multiple language SDKs. Firecracker requires more setup; BoxLite is designed to be embedded directly in applications.
gVisor (Google) provides isolation through a userspace kernel that intercepts syscalls. BoxLite uses hardware virtualization for true VM boundaries. gVisor is lighter but has syscall compatibility limitations; BoxLite runs a full Linux kernel so any Linux software works, at the cost of slightly higher overhead.
BoxLite is ideal for: (1) AI Agent Sandboxing - safely run AI-generated code, (2) Code Execution Platforms - online judges, coding tutorials, (3) Multi-tenant Hosting - isolate customer workloads, (4) Browser/Desktop Automation - secure web scraping and UI testing, (5) Compliance - when container isolation isn't sufficient for regulatory requirements.
Yes! BoxLite includes built-in networking with full internet outbound access, port forwarding (TCP/UDP), and DNS resolution. The default networking backend is gvproxy (gVisor's user-mode network stack), with libslirp as an alternative option.
Yes. BoxLite supports volume mounts via virtio-fs, allowing you to share host directories with sandboxes in read-only or read-write mode. You can also use persistent QCOW2 disk images that survive sandbox restarts.
Yes! BoxLite is open source under the Apache License 2.0. The source code is available on GitHub at github.com/boxlite-labs/boxlite. Contributions are welcome!
BoxLite provides high-level APIs for common use cases: SimpleBox (foundation for custom containers), CodeBox (secure Python code execution with package installation), ComputerBox (desktop automation with screenshot, mouse, keyboard), BrowserBox (browser automation with Chromium, Firefox, WebKit), and InteractiveBox (interactive shell access).
Join our Discord community or check out the documentation on GitHub.