Secure validator with a Ledger HW wallet

Depending on your X1 validator method, there are different ways to secure your node with a Ledger wallet. This guide focuses on ensuring security through the use of standard CLI commands. If you installed a validator with the X1 Console by Blackbeard, follow the instructions presented in the video.

If you created a validator by following the official X1 documentation and you run on Linux, then the below guide is for you.

1. Install Tachyon (X1 Client) and Solana tools on your local machine

Install the validator from the official X1 documentation

Clone the Tachyon repository:

git clone https://github.com/x1-labs/tachyon.git

Update your PATH environment variable:

export PATH=$PATH:$(pwd)/target/release
echo "export PATH=$PATH:$(pwd)/target/release" >> ~/.bashrc

Verify the installation:

solana --version
tachyon-validator --version

If you see the versions listed below, the installation was successful:

solana-cli 2.2.17 (src:00000000; feat:607245837, client:Tachyon) tachyon-validator 2.2.17 (src:00000000; feat:2908148756, client:Tachyon)

2. Prepare Your Ledger

Install Ledger Live:

• Install and run once to set up firmware updates.

• Close Ledger Live before using CLI.

Install the Solana App on Ledger:

• Ledger Live → Manager → Search "Solana" → Install.

!!!If linux is run on mac (virtualbox): Connect Ledger to Linux terminal:

For mac: open terminal, then command:

Open the Solana app on Ledger — display should read:

Application is ready

3. Get Your Ledger Public Key

# First attempt may error

Example output:

Ge31BtSCzr6UDTgzv9sEFta4RpzAAfKe9rZi1RPe1v63

This is your new Ledger withdraw authority public key.

4. Backup Old Withdraw Authority

Run on your local machine (not the validator):

Or copy the private key manually to a new location on your local machine:

This lets you sign transactions that require both old and new withdraw authority during the changeover.

5. Change Vote Account Withdraw Authority to Ledger

Run this command on your local machine with Ledger attached and ready to sign:

6. Change Stake Account Withdraw Authority to Ledger

View your stake accounts:

Change the withdraw authority (repeat for each stake account):

7. Withdrawing with Ledger

Command:

You must physically approve each transaction on the Ledger each time.

8. Security Best Practices

• Never store the withdraw authority key on the validator.

• Keep identity.json on the server, but limit funds.

• Regularly update and patch the server.

• Enable firewall & SSH key authentication only. Follow the X1 validator node security guide

• Backup withdrawer.json and store the Ledger safely.

Securing your X1 validator with Ledger and a wallet management tool

The wallet management tool by xen_artist provides an easy way of updating the withdrawer authority and managing stakes. The tool works with the Backpack wallet and the Ledger hardware wallet.

9. Connect Backpack to the wallet manager

1. Download Backpack. (LINK)

2. Import your withdrawer (most likely `id.json`) private key to the wallet. SHOULDNT

3. Make sure to include also the square brackets.

4. On the website, paste your vote account in the Vote Account Public Key field.

5. The website will confirm your node's identity withdrawer.

10. Connect Ledger wallet to Backpack

1. Connect Ledger to Backpack.

2. Look for your withdrawer address if you previously created it, or use a new address.

Make sure that the derivation path matches:

• If your key path is `usb://ledger` → look for `m/44'/501'`

• If it's `usb://ledger/?key=0/0` → look for `m/44'/501'/x'/0'/0'`

11. Update Withdraw Authority of vote account

1. Press the Update button next to Withdraw Authority.

2. Insert the Ledger address for the new withdraw authority.

3. Confirm the change.

12. Update Stake Authority

1. Press the SOL amount to view each stake.

2. Ensure the stake authority matches the withdraw authority to be able to update it.

3. Press Update and insert the Ledger address to assign it as the new authority.

Conclusion

By moving your withdraw authority to a Ledger hardware wallet, you significantly reduce the risk of losing your rewards or stake to an attacker. Even if your validator server is compromised, no funds can be withdrawn without your physical approval on the Ledger. This approach ensures your X1 validator remains secure, reliable, and trusted by delegators.