SPO - Using cardano-hw-cli with a AWS EC2 instance

Hello, first post here and really new to the stake pool process I followed along with some YT tutorials and read about airgapped in Coincashew’s tutorial, but I am new to all this so I’m not sure the best practices.

For background: I mainly work out of AWS. I reserved 3-year t2.medium (which seems I have to upgrade to t2.large soon). I have my producer node on a private subnet with the only SSH connection restricted to the bastion-host which SSH is restricted to my IP. In addition, I have a NAT gateway routed from the public subnet in the same VPC so that the producer can update and do internet-things. My Relays sit on public with SSH restricted to my IP and has opened ports for in/out 6000, 6001, 3001.

I am just started learning to create a stake pool and I am completely lost. I’m having issues with understanding how the cardano-hw-cli works or if it’ll even work on a EC2 instance (in a private subnet/VPC). I keep getting a failed to initialize libusb, and my research leads me to believe you can’t use a physical USB mounted to a EC2 instance.

It seems this would work on airgapped machine which I think refers to an physical on-prem server. I was worried about stability issues since my ISP is not reliable so an airgapped machine might not work in my case. Do most pools host their producer nodes on the cloud too (i.e., a lot of tutorials use digitalocean)? If so, is anyone able to use their hardware wallet?

I was wondering if anyone had experience with using a hardware wallet on their stake pool?

Thanks in advance!

I tested and it worked via cntools - import hw wallet… but it was on wm machine configured on a local pc…

Perhpas this option will help u


Yes, using a HW wallet for pledge and reward is documented quite well over here


Thanks for the input @Alexd1985,

I read through a couple of your post and they were really useful when I was setting up my nodes. Thanks again for helping out new SPOs. I really appreciate the time you’ve spent on the forums.

By wm machine, are you referring to a Windows Machine? I read the adalite post but still a bit confused so I will need to revisit how keys work in the documentation.

Thanks for sharing @tomdx. I’ll read through!

Yes, virtual box on windows, with ubuntu;

Thank you Alex, I got it to work. It seems I was confused about how to use the cardano-hw-cli command. Going back through the documentation and reading through everything again helped me understand that I was suppose to do it on a airgapped machine.

I just unstaked my ADA from HW so waiting for that to continue the stake pool process.

Hi David, I’m on AWS too and can’t seem to get cardano-hw-cli command to work. What did you do to get it working?

@gametraders You connect your HW wallet to a machine that also has a node running. This would not be your AWS instance. The easiest way to run a node on your Desktop/Laptop is this

docker run --detach \
    --name=relay \
    -p 3001:3001 \
    -v node-data:/opt/cardano/data \
    nessusio/cardano-node run

Also pls note, for some actions it should not be necessary to have a running node - sign/witness for example. I haven’t tried that though.


hey @gametraders,

So I finally got it to work last night! Took me two days to figure it out and for me to do it correctly. You will only need to connect your HW wallet to a airgap machine (no internet access) in order to manipulate the keys. Before that, you need to register your stakepool using a regular cardano-cli wallet then you should use the cardano-hw-wallet as the pool’s pledge.

In order to get the cardano-cli and cardano-hw-cli to work on my airgap machine, I had to copy the binaries (cardano-cli) and install file (cardano-hw-cli) over from a machine with internet access. I’ll provide an example below with what I did:

Note: You need both the cardano-cli and cardano-hw-cli on your airgap machine to manipulate transactions using your private keys.

  1. Relay Node 1 (connected to internet) or any machine connected to the internet. Download the cardano-hw-cli and move it over to your airgap machine.
    wget https://github.com/vacuumlabs/cardano-hw-cli/releases/download/v1.2.0/cardano-hw-cli- 1.2.0_linux-x64.tar.gz
    scp user@relaynode1 cardano-hw-cli-1.2.0_linux-x64.tar.gz ~/Desktop

  2. Transfer the cardano-hw-cli file (cardano-hw-cli/releases/download/v1.2.0/cardano-hw-cli- 1.2.0_linux-x64.tar.gz) through a USB drive to your Airgap machine

  3. Once you have it on your airgap machine, you can extract the file and follow the install instructions on vacuumlabs. (I’m a noob at Linux so I followed their installation and added both a soft link and export path)
    cardano-hw-cli/installation.md at develop · vacuumlabs/cardano-hw-cli · GitHub
    tar -zxvf cardano-hw-cli-1.2.0_linux-x64.tar.gz
    sudo ln -s /<PATH_TO_DIRECTORY_OF_cardano-hw-cli> /usr/bin
    export PATH=<PATH_TO_DIRECTORY_OF_cardano-hw-cli>

  4. There was an optional step to add the autocomplete.sh script to my /.bashrc which I did. You can just append the script into .bashrc (I think the command below worked, if not, you can copy and paste)
    sudo cat autocomplete.sh >> ~/.bashrc

5.You should have access to the cardano-hw-cli now. Make sure to follow Ledger’s instruction if you aren’t able to connect to the hardware wallet. My Ledger USB was detected with lsusb command, but I needed to do the instructions below before I was able to export my hardware keys.

Hope that helps, let me know if you have any questions!

Also, I’m going to start working on a YouTube video/documentation to help with the setting hardware wallets for stake pools since it took me quite some time to fully understand and get it working. I’ll share once that is available.

Thanks so much David! I’ll give it another shot. I did try adalite but having troubles with that now. Ahh the fun of it!

I’d be super interested in watching your YT vid when it goes live

1 Like

I have an interview coming up tomorrow, so it won’t until this weekend. A really useful resource that helped was from @angelstakepool

For step 4, you can use:

  --pool-reward-account-verification-key-file cli-stake-rewards.vkey \
  --pool-owner-stake-verification-key-file hw-wallet.vkey \

The cli-stake-rewards.vkey is the node’s wallet that is generated using cardano-cli address key-gen. And the hw-wallet.vkey is the hardware wallet verification key exported using cardano-hw-cli address key-gen .

The only difference I had is that I’m changing my rewards key to be the hw wallet also

To my understanding, you can’t use the hw wallet as the reward key. The hw wallet should only to be used for securing the pledge amount. I remember reading it somewhere…

Hope that helps and best of luck!

yes , you can use the hw wallet key as reward key

in my explanation, I am using a cli key for rewards because there are 2 owners , so rewards would need to be [manually] distributed anyways

take care and good luck

1 Like

Thanks for clearing that up @angelstakepool

So if you are using a hw wallet as both the pool-reward-account key and as the the pool-owner-stake key, do you only use two witnesses (I.e. , the cold keys + hw wallet)?

You would need 3 witnesses

  • cold key
  • hw stake key
  • cli key (with a few ADA) to pay for transaction
1 Like

Trying to setup a HW wallet on my testnet pool to test out how it works. When it comes to pledge would you simply send ADA to the HW address (for example through yoroi)? Also, do the rewards then show up in the stake rewards address (again like you normally would with staking?) and are you able to withdraw them the same way?

I followed the coincashew guide. Im not sure if I need to modify the steps in it to allow for both the rewards + pledge to be HW controlled

if you already have a pool running with a CLI key owner, then what you can do is add a 2nd owner , in this case a HW WALLET key owner.

The pool will have 2 owners: CLI & HW WALLET, so the effective pledge is the sum between the 2. if you want to transfer balance from CLI key to HW WALLET key, you need to wait for 2 snapshots

I also wrote a similar guide for this

Thanks, think I understand. How does the rewards work though? Is it handled by the hw or the original cli key?