CoinCashew
English
English
  • Home
  • About Us
  • Donations
  • Contributing
    • Contributor Covenant Code of Conduct
    • Style Guide
  • Disclaimer
  • Wallets
    • Guide: Crypto Wallet Tips 101 - Do's and Don'ts
      • Review: Metal Bitcoin Seed Storage by jlopp
  • Coins
    • Ethereum: ETH
      • 🛡️EthPillar: one-liner setup tool and node management TUI
      • 🥩Guide | How to setup a validator for Ethereum staking on mainnet
        • Overview - Manual Installation
        • PART I - INSTALLATION
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Installing execution client
            • Nethermind
            • Besu
            • Geth
            • Erigon
            • Reth
          • Step 4: Installing consensus client
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Step 5: Installing Validator
            • Setting up Validator Keys
            • Installing Validator
              • Lighthouse
              • Lodestar
              • Teku
              • Nimbus
              • Prysm
            • Next Steps
          • Monitoring your validator with Grafana and Prometheus
          • Mobile App Node Monitoring by beaconcha.in
          • Monitoring with Uptime Check by Google Cloud
        • PART II - MAINTENANCE
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
          • Finding the longest attestation slot gap
          • Checking my eth validator's sync committee duties
          • Checklist | Confirming a healthy functional ETH staking node
        • PART III - TIPS
          • Voluntary Exiting a Validator
          • Verifying Your Mnemonic Phrase
          • Adding a New Validator to an Existing Setup with Existing Seed Words
          • Switching / Migrating Consensus Client
          • 🛡️Switching / Migrating Execution Client
          • ⚡Using Node as RPC URL endpoint
          • Using All Available LVM Disk Space
          • Reducing Network Bandwidth Usage
          • How to re-sync using checkpoint sync
          • Important Directory Locations
          • Improving Validator Attestation Effectiveness
          • EIP2333 Key Generator by iancoleman.io
          • 😁Geth - Enabling path-based state storage
          • Disk Usage by Execution / Consensus Client
          • Dealing with Storage Issues on the Execution Client
        • Join the Community
        • Credits
        • See Also
        • Changelog
      • 🌠Guide | How to setup a validator for Ethereum staking on testnet HOODI
        • Overview - Manual Installation
        • Step 1: Prerequisites
        • Step 2: Configuring Node
        • Step 3: Installing execution client
          • Nethermind
          • Besu
          • Geth
          • Erigon
          • Reth
        • Step 4: Installing consensus client
          • Lighthouse
          • Lodestar
          • Teku
          • Nimbus
          • Prysm
        • Step 5: Installing Validator
          • Setting up Validator Keys
          • Installing Validator
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Next Steps
        • Maintenance
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
      • ⛓️Guide | How to setup a validator for Ethereum staking on testnet HOLESKY
        • Overview - Manual Installation
        • Step 1: Prerequisites
        • Step 2: Configuring Node
        • Step 3: Installing execution client
          • Nethermind
          • Besu
          • Geth
          • Erigon
          • Reth
        • Step 4: Installing consensus client
          • Lighthouse
          • Lodestar
          • Teku
          • Nimbus
          • Prysm
        • Step 5: Installing Validator
          • Setting up Validator Keys
          • Installing Validator
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Next Steps
        • Maintenance
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
      • 💰Guide | MEV-boost for Ethereum Staking
        • MEV Relay List
      • 🔎Guide | Recover Ethereum Validator Mnemonic Seed
      • 🦉Update Withdrawal Keys for Ethereum Validator (BLS to Execution Change or 0x00 to 0x01) with ETHDO
      • 📜Archived Guides
        • Guide Version 1 | How to setup a validator for Ethereum staking on MAINNET
          • PART I - INSTALLATION
            • Step 1: Prerequisites
            • Step 2: Configuring Node
            • Step 3: Setting up Validator Keys
            • Step 4: Installing execution client
            • Step 5: Installing consensus client
            • Monitoring your validator with Grafana and Prometheus
            • Mobile App Node Monitoring by beaconcha.in
            • Security Best Practices for your ETH staking validator node
            • Synchronizing time with Chrony
            • Monitoring with Uptime Check by Google Cloud
          • PART II - MAINTENANCE
            • Updating your consensus client
            • Updating your execution client
            • Uninstalling V1 Staking Node
            • Finding the longest attestation slot gap
            • Checking my eth validator's sync committee duties
            • Pruning the execution client to free up disk space
            • Checklist | Confirming a healthy functional ETH staking node
          • PART III - TIPS
            • 🛡️Switching / Migrating Execution Client
            • Voluntary Exiting a Validator
            • Verifying Your Mnemonic Phrase
            • Adding a New Validator to an Existing Setup with Existing Seed Words
            • Switching / Migrating Consensus Client
            • Using All Available LVM Disk Space
            • Reducing Network Bandwidth Usage
            • How to re-sync using checkpoint sync
            • Important Directory Locations
            • Hosting Execution client on a Different Machine
            • Adding or Changing Graffiti flag
            • Improving Validator Attestation Effectiveness
            • EIP2333 Key Generator by iancoleman.io
            • Disk Usage by Execution / Consensus Client
            • Dealing with Storage Issues on the Execution Client
          • Join the Community
          • Credits
          • See Also
          • Changelog
        • Guide Version 1 | How to setup a validator for Ethereum staking on testnet GOERLI
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Setting up Validator Keys
          • Step 4: Installing execution client
          • Step 5: Installing consensus client
        • Guide Version 2 | How to setup a validator for Ethereum staking on testnet GOERLI
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Installing execution client
            • Nethermind
            • Besu
            • Geth
            • Erigon
          • Step 4: Installing consensus client
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Step 5: Installing Validator
            • Setting up Validator Keys
            • Installing Validator
              • Lighthouse
              • Lodestar
              • Teku
              • Nimbus
              • Prysm
            • Next Steps
          • Maintenance
            • Updating Execution Client
            • Updating Consensus Client
            • Backups Checklist: Critical Staking Node Data
            • Uninstalling Staking Node
        • Guide | Ethereum Staking on Zhejiang Testnet
        • Guide | Besu + Lodestar | Most Viable Diverse Client | Staking Ethereum on Kiln testnet
        • Guide | How to setup a validator for Ethereum staking on Pithos testnet in 10 minutes or less
        • Ethereum Merge Upgrade Checklist for Home Stakers and Validators
        • Guide | Operation Client Diversity: Migrate Prysm to Teku
      • Guide: How to buy ETH
    • Cardano: ADA
      • Guide: How to Set Up a Cardano Stake Pool
        • Benefits of Operating a Cardano Stake Pool
        • PART I - INSTALLATION
          • Prerequisites
          • Hardening an Ubuntu Server
          • Setting Up chrony
          • Installing the Glasgow Haskell Compiler and Cabal
          • Compiling Cardano Node
        • PART II - CONFIGURATION
          • Downloading Configuration Files
          • Configuring Topology
          • Configuring an Air-gapped, Offline Computer
          • Creating Startup Scripts and Services
        • PART III - OPERATION
          • Starting the Nodes
          • Accessing Built-in Help
          • Generating Keys for the Block-producing Node
          • Setting Up Payment and Stake Keys
          • Registering Your Stake Address
          • Registering Your Stake Pool
          • Verifying Stake Pool Operation
          • Setting Up Dashboards
          • Configuring Slot Leader Calculations
          • Securing Your Stake Pool Using a Hardware Wallet
          • Setting up a Mithril Signer
        • PART IV - ADMINISTRATION & MAINTENANCE
          • Checking Stake Pool Rewards
          • Claiming Stake Pool Rewards
          • Delegating to a Stake Pool
          • Delegating to a Representative
          • Issuing a New Operational Certificate
          • Updating Stake Pool Information
          • Upgrading a Node
          • Retiring Your Stake Pool
          • Auditing Your nodes configuration
          • KES Key Rotation / Operational Certificate Companion Script
        • PART V - TIPS
          • Submitting a Simple Transaction
          • Transferring Files Using SSH
          • Updating Configuration Files
          • Implementing Peer Sharing
          • Uploading Pool Metadata to GitHub Pages
          • Obtaining a PoolTool API Key
          • Configuring Glasgow Haskell Compiler Runtime System Options
          • Reducing Missed Slot Leader Checks and Improving Cardano Node Performance
          • Increasing Swap File Size
          • Setting Up an External Passive Relay Node
          • Setting Up WireGuard
          • Monitoring Node Security Using OSSEC Server and Slack
          • Resetting an Installation
          • Fixing a Corrupt Blockchain
          • Verifying an ITN Stake Pool
          • Fixing the Mnemonic Staking Balance Bug
        • Appendix A - Best Practices Checklist
        • Appendix B - Cardano Resource Index
        • Discord Chat Channel
        • See Also
        • Credits
      • Guide: How to buy ADA
      • Guide: How to stake ADA
    • Monero: XMR
      • Guide | How to run your own Monero node
      • Guide: How to mine Monero
      • Create a XMR paper wallet
      • External Reading Material
        • Movie: Monero Means Money
        • Guide: Zero to Monero
        • Book: Mastering Monero
Powered by GitBook
On this page
Edit on GitHub
  1. Coins
  2. Cardano: ADA
  3. Guide: How to Set Up a Cardano Stake Pool
  4. PART III - OPERATION

Securing Your Stake Pool Using a Hardware Wallet

PreviousConfiguring Slot Leader CalculationsNextSetting up a Mithril Signer

Last updated 7 months ago

You can secure your pool pledge account and pool reward account using a or hardware wallet. Credits to for documenting the procedure.

Critical Reminder: After adding a 2nd pool owner using a hardware wallet, you must wait 2 epochs before you transfer pledge funds from your CLI Method or Mnemonic Method wallet to hardware wallet. Do not transfer any funds earlier because your pool pledge will not be met.

First, delegate your 2nd pool owner to your stake pool with Daedalus or Yoroi or Adalite.io

Install to interact with your hardware wallet.

# Hardware Wallet works with Trezor and Ledger Nano S/X
# Reference https://github.com/vacuumlabs/cardano-hw-cli/blob/develop/docs/installation.md

cd $NODE_HOME
wget https://github.com/vacuumlabs/cardano-hw-cli/releases/download/v1.13.0/cardano-hw-cli_1.13.0-1.deb
sudo dpkg --install ./cardano-hw-cli_1.13.0-1.deb

Connect and unlock your hardware wallet on your local PC or block producer node.

To generate the verification key and hardware wallet signing file, type:

cardano-hw-cli address key-gen \
  --path 1852H/1815H/0H/2/0 \
  --verification-key-file hw-stake.vkey \
  --hw-signing-file hw-stake.hwsfile

As needed, you can edit the value of the --path option to specify the derivation path to the key with which you want to sign. hw-stake.vkey is not sensitive and may be shared publicly. hw-stake.hwsfile does NOT contain the raw private key.

Copy hw-stake.vkey to your cold environment.

Update stake pool registration certificate to add your new hardware wallet owner, which will secure both your pool pledge account and pool reward account.

Tailor the below registration-certificate transaction with your pool's settings.

cardano-cli conway stake-pool registration-certificate \
    --cold-verification-key-file $HOME/cold-keys/node.vkey \
    --vrf-verification-key-file vrf.vkey \
    --pool-pledge 1000000000 \
    --pool-cost 170000000 \
    --pool-margin 0.10 \
    --pool-reward-account-verification-key-file hw-stake.vkey \
    --pool-owner-stake-verification-key-file stake.vkey \
    --pool-owner-stake-verification-key-file hw-stake.vkey \
    --mainnet \
    --single-host-pool-relay <dns based relay, example ~ relaynode1.myadapoolnamerocks.com> \
    --pool-relay-port 6000 \
    --metadata-url <url where you uploaded poolMetaData.json> \
    --metadata-hash $(cat poolMetaDataHash.txt) \
    --out-file pool.cert

Example above is pledging 1000 ADA with a fixed pool cost of 170 ADA and a pool margin of 10%.

Copy pool.cert to your hot environment.

You need to find the tip of the blockchain to set the invalid-hereafter parameter properly.

currentSlot=$(cardano-cli conway query tip --mainnet | jq -r '.slot')
echo Current Slot: $currentSlot

Find your balance and UTXOs.

cardano-cli conway query utxo \
    --address $(cat payment.addr) \
    --mainnet > fullUtxo.out

tail -n +3 fullUtxo.out | sort -k3 -nr > balance.out

cat balance.out

tx_in=""
total_balance=0
while read -r utxo; do
    type=$(awk '{ print $6 }' <<< "${utxo}")
    if [[ ${type} == 'TxOutDatumNone' ]]
    then
        in_addr=$(awk '{ print $1 }' <<< "${utxo}")
        idx=$(awk '{ print $2 }' <<< "${utxo}")
        utxo_balance=$(awk '{ print $3 }' <<< "${utxo}")
        total_balance=$((${total_balance}+${utxo_balance}))
        echo TxHash: ${in_addr}#${idx}
        echo ADA: ${utxo_balance}
        tx_in="${tx_in} --tx-in ${in_addr}#${idx}"
    fi
done < balance.out
txcnt=$(cat balance.out | wc -l)
echo Total available ADA balance: ${total_balance}
echo Number of UTXOs: ${txcnt}

Run the build-raw transaction command.

cardano-cli conway transaction build-raw \
    ${tx_in} \
    --mary-era \
    --tx-out $(cat payment.addr)+${total_balance} \
    --invalid-hereafter $(( ${currentSlot} + 10000 )) \
    --fee 200000 \
    --certificate-file pool.cert \
    --out-file tx.tmp

Calculate the minimum fee:

fee=$(cardano-cli conway transaction calculate-min-fee \
    --tx-body-file tx.tmp \
    --tx-in-count ${txcnt} \
    --tx-out-count 1 \
    --mainnet \
    --witness-count 4 \
    --byron-witness-count 0 \
    --protocol-params-file params.json | awk '{ print $1 }')
echo fee: $fee

Calculate your change output.

txOut=$((${total_balance}-${fee}))
echo txOut: ${txOut}

Build the transaction.

cardano-cli conway transaction build-raw \
    ${tx_in} \
    --mary-era \
    --tx-out $(cat payment.addr)+${txOut} \
    --invalid-hereafter $(( ${currentSlot} + 10000 )) \
    --fee ${fee} \
    --certificate-file pool.cert \
    --out-file tx-pool.raw

Copy tx-pool.raw to your cold environment.

This multi signature transaction will be signed using witnesses.

You need the following 4 witnesses.

  • node.skey

  • hw-stake.hwsfile

  • stake.skey

  • payment.skey

Create a witness using node.skey,

cardano-cli conway transaction witness \
  --tx-body-file tx-pool.raw \
  --signing-key-file $HOME/cold-keys/node.skey \
  --mainnet \
  --out-file node.witness

Create a witness using stake.skey,

cardano-cli conway transaction witness \
  --tx-body-file tx-pool.raw \
  --signing-key-file stake.skey \
  --mainnet \
  --out-file stake.witness

Create a witness using payment.skey,

cardano-cli conway transaction witness \
  --tx-body-file tx-pool.raw \
  --signing-key-file payment.skey \
  --mainnet \
  --out-file payment.witness

Copy tx-pool.raw to local PC or block producer node, which is where your hardware wallet device is connected. Ensure your hardware wallet is unlocked and ready.

Create a witness using hw-stake.hwsfile

cardano-hw-cli transaction witness \
  --tx-file tx-pool.raw \
  --hw-signing-file hw-stake.hwsfile \
  --mainnet \
  --out-file hw-stake.witness

Copy hw-stake.witness to your cold environment.

cardano-cli conway transaction assemble \
  --tx-body-file tx-pool.raw \
  --witness-file node.witness \
  --witness-file stake.witness \
  --witness-file payment.witness \
  --witness-file hw-stake.witness \
  --out-file tx-pool.multisign

Copy tx-pool.multisign to your hot environment.

Send the transaction.

cardano-cli conway transaction submit \
    --tx-file tx-pool.multisign \
    --mainnet

If you have multiple relay nodes, then .

Notice the pool-reward-account and additional pool-ownerstake-verification-key-file lines point to hw-stake.vkey.

Check your updated pool information on which should now show your hardware wallet as a pool owner.

Important Reminder These changes take effect in two epochs. Do NOT transfer pledge funds to your hardware wallet until at least two epochs later.

After two epoch snapshots have passed, you can safely transfer pledge funds from your CLI Method or Mnemonic Method wallet to your new hardware wallet owner account.

👀
🔥
🚀
Trezor
Ledger Nano S/X
angelstakepool
cardano-hw-cli
adapools.org
change your parameters accordingly