Stake Pool Security

Hi all - I am currently setting up my first Stake pool. I am now at the point where i create all the keys. I already stored my cold keys securely offline and now I ask myself if i should generate and store my payment/stake keys and payaddr also offline?
In stakepool school they did not do that I think… What did you do? Is it a safety risk to generate them on my server and let them stored there?

And generally, how do you protect and secure your servers in general?
BRGDS
Simlshady

1 Like

Yes, I recommend generating and storing your payment/stake keys offline.

You can use cardano-cli without starting the node, so it can be installed on your offline machine. I always build and sign transactions on the cold airgapped box, and move the signed transactions to a hot node to submit to the chain. It’s much more tedious this way, but definitely worth doing - avoid putting payment/stake skeys on a hot server at all costs.

2 Likes

for general security, you’ll want to make sure you’re not running as root, use SSH keypair w/ key password protected, disable ssh password login, change default ssh port, disable root login, and lock down firewall rules to only use necessary port for ssh and the port needed to run your node - on the block producer limit this port so it can only be accessed by your relays.

2 Likes

I mistakenly generated my stake and payment keys online. And right now I’m creating my pool certificate, which is offline. I get this error “stake. Vkey does not exist”. Is there a way out? Without having to start all over?

I would recommend starting over so you can generate your payment keys offline as well. If the online payment address is already funded, use that as an opportunity to practice transactions by sending the ADA from your online payment address to the new one you create offline.

But no, you don’t need to start over - you could move your keys to the offline box and use them there - just make sure to correctly reference the file path of the stake keys when creating your pool cert.

To reiterate, I recommend never having your keys online, and would personally start over.

1 Like

How do I transfer from my payment addr to my wallet?

Thank you for your reply. Very useful information, will do that!

1 Like

also take a look at installing fail2ban to mitigate brute force SSH attacks

1 Like

Alright cool :grin: you should take money for assisting stake pool noobs :grinning::+1:

2 Likes