# Secure validator with a Ledger HW wallet

Depending on your X1 validator method, there are different ways to secure your node with a Ledger wallet. This guide focuses on ensuring security through the use of standard CLI commands. If you installed a validator with the [X1 Console by Blackbeard](https://youtu.be/MvkVH7gAd0s), follow the instructions presented in the video.

If you created a validator by following the official X1 documentation and you run on Linux, then the below guide is for you.

### **1. Install Tachyon (X1 Client) and Solana tools on your local machine**

Install the validator from the official [X1 documentation](https://docs.x1.xyz/validating/create-a-read-only-node)

Clone the Tachyon repository:

```sh
git clone https://github.com/x1-labs/tachyon.git
```

Update your PATH environment variable:

```sh
export PATH=$PATH:$(pwd)/target/release
echo "export PATH=$PATH:$(pwd)/target/release" >> ~/.bashrc
```

Verify the installation:

```sh
solana --version
tachyon-validator --version
```

If you see the versions listed below, the installation was successful:

`solana-cli 2.2.17 (src:00000000; feat:607245837, client:Tachyon)`\
`tachyon-validator 2.2.17 (src:00000000; feat:2908148756, client:Tachyon)`

### **2. Prepare Your Ledger**

Install Ledger Live:

* Install and run once to set up firmware updates.
* Close Ledger Live before using CLI.

Install the Solana App on Ledger:

* Ledger Live → Manager → Search "Solana" → Install.

!<mark style="color:$danger;">!!If linux is run on mac (virtualbox):</mark>\
Connect Ledger to Linux terminal:

```sh
lsusb # should display your Ledger device
```

<mark style="color:$danger;">For mac: open terminal, then command:</mark>

```
system_profiler SPUSBDataType
```

Open the Solana app on Ledger — display should read:

`Application is ready`

### **3. Get Your Ledger Public Key**

\# First attempt may error

```sh
# First attempt may error
solana-keygen pubkey usb://ledger

# Try again
solana-keygen pubkey usb://ledger
```

Example output:

`Ge31BtSCzr6UDTgzv9sEFta4RpzAAfKe9rZi1RPe1v63`

This is your new Ledger withdraw authority public key.

### **4. Backup Old Withdraw Authority**

Run on your local machine (not the validator):

```sh
scp user@your-validator:/home/validator/.config/solana/id.json withdrawer.json
```

Or copy the private key manually to a new location on your local machine:

```sh
# On your validator server
cat ~/.config/solana/id.json

# On your local machine
nano withdrawer.json # paste it here
```

This lets you sign transactions that require both old and new withdraw authority during the changeover.

### 5. Change Vote Account Withdraw Authority to Ledger

Run this command on your local machine with Ledger attached and ready to sign:

```sh
solana vote-authorize-withdrawer-checked \
 VOTE ACCOUNT \
 withdrawer.json \
 "usb://ledger"
```

### 6. Change Stake Account Withdraw Authority to Ledger

View your stake accounts:

```sh
solana account ~/.config/solana/stake.json
```

Change the withdraw authority (repeat for each stake account):

```sh
solana stake-authorize \
 STAKE ACCOUNT \
 --new-withdraw-authority usb://ledger \
 --withdraw-authority withdrawer.json
```

### 7. Withdrawing with Ledger

**Command:**

```sh
solana withdraw-from-vote-account \
 VOTE ACCOUNT \
 DESTINATION ACCOUNT \
 AMOUNT \
 --authorized-withdrawer usb://ledger
```

You must physically approve each transaction on the Ledger each time.

### 8. Security Best Practices

* Never store the withdraw authority key on the validator.
* Keep identity.json on the server, but limit funds.
* Regularly update and patch the server.
* Enable firewall & SSH key authentication only. Follow the [X1 validator node security](https://owlnet.dev/article/x1-validator-node-security) guide
* Backup withdrawer.json and store the Ledger safely.

## Securing your X1 validator with Ledger and a wallet management tool

[The wallet management tool](https://validator.x1.wiki/) by xen\_artist provides an easy way of updating the withdrawer authority and managing stakes. The tool works with the Backpack wallet and the Ledger hardware wallet.

### 9. Connect Backpack to the wallet manager

1. Download Backpack. (LINK)
2. Import your withdrawer (most likely \`id.json\`) private key to the wallet. <mark style="color:$danger;">**SHOULDNT**</mark>
3. Make sure to include also the square brackets.
4. On the website, paste your vote account in the **Vote Account Public Key** field.
5. The website will confirm your node's identity withdrawer.

<figure><img src="/files/OBUxQeA2ZWzAkpRmeteS" alt=""><figcaption></figcaption></figure>

### 10. Connect Ledger wallet to Backpack

1. Connect Ledger to Backpack.
2. Look for your withdrawer address if you previously created it, or use a new address.

**Make sure that the derivation path matches**:

* If your key path is \`usb://ledger\` → look for \`m/44'/501'\`
* If it's \`usb://ledger/?key=0/0\` → look for \`m/44'/501'/x'/0'/0'\`

### 11. Update Withdraw Authority of vote account

1. Press the **Update** button next to **Withdraw Authority**.
2. Insert the Ledger address for the new withdraw authority.
3. Confirm the change.

### 12. Update Stake Authority

1. Press the SOL amount to view each stake.
2. Ensure the stake authority matches the withdraw authority to be able to update it.
3. Press **Update** and insert the Ledger address to assign it as the new authority.

### Conclusion

By moving your withdraw authority to a Ledger hardware wallet, you significantly reduce the risk of losing your rewards or stake to an attacker. Even if your validator server is compromised, no funds can be withdrawn without your physical approval on the Ledger. This approach ensures your X1 validator remains secure, reliable, and trusted by delegators.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.x1.xyz/validating/mainnet-preparation/secure-validator-with-a-ledger-hw-wallet.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.