Secure validator with HW wallet

Step 1 — Check your current vote account (server)

On your server:

solana show-vote-account <VOTE_PUBKEY>

Confirm the Withdraw Authority matches the id.json key you plan to replace.

Verify the pubkey of id.json:

solana-keygen pubkey ~/.config/solana/id.json

This ensures you’re confirming the correct id.json key before updating its withdraw authority.

Step 2 — Get your Ledger’s public key (on your computer)

Plug in your Ledger, open the Solana app, and run:

solana-keygen pubkey "usb://ledger?key=0/0"

Copy the output — this is your Ledger withdraw authority address:

<LEDGER_PUBKEY>

You only need the public key. No Ledger connection is required on the server.

Step 3 — Set your RPC cluster (server)

Example for X1 testnet:

Step 4 — Change the withdraw authority (server)

Run this on the server:

• Signs with your current withdraw authority (id.json)

• Assigns your Ledger as the new withdraw authority

• Pays the transaction fee from the same account

You are changing who can withdraw rewards. Validator operations are unaffected.

Step 5 — Verify on-chain (server or computer)

You should see:

Step 6 — Back up and clean up (server)

🔐 Back up id.json safely

Create a structured backup and store it in your password manager or encrypted vault:

If you’re on macOS:

🔒 Tighten permissions

This ensures only your current Linux user can access key files — protecting against accidental leaks or unauthorized reads.

Final State

Troubleshooting

• “insufficient funds for fee” id.json has 0 balance. Send a small amount of testnet XNT to it before retrying.

• “Signature verification failed” id.json is not the current withdraw authority for this vote account, or you’re pointed at the wrong cluster.

• “This account may not be used to pay transaction fees” You tried to use a restricted account (e.g., validator identity) as fee-payer. Use a normal wallet or id.json itself.