AI Agent OSGuarded mainnet beta. .rama identity, smart wallets, sponsored gas, permissions and scheduling are available for controlled testing.Open Agent OS
Learning center

Validators

Validator Key Security

Protect validator and operational keys with separation of duties, hardware-backed storage and documented access controls.

In this guide

Practical outcomes

  • Separate key roles
  • Protect signing material
  • Prepare key rotation

How this works in practice

Protect validator and operational keys with separation of duties, hardware-backed storage and documented access controls.

Validator operations rely on separate but connected layers: Bor must execute and produce blocks, Heimdall must coordinate validator state and spans, and the checkpoint path must submit and acknowledge commitments on schedule.

Implementation sequence

Turn the topic into a controlled implementation rather than a one-off transaction. Each step below should leave evidence a teammate, user or auditor can independently review.

  1. 01. Separate key roles. Define the expected result, capture the relevant onchain or operational evidence, and stop for review if the result differs from the plan.
  2. 02. Protect signing material. Define the expected result, capture the relevant onchain or operational evidence, and stop for review if the result differs from the plan.
  3. 03. Prepare key rotation. Define the expected result, capture the relevant onchain or operational evidence, and stop for review if the result differs from the plan.

Evidence to retain

When investigating an incident, capture block height, sync state, peers, relevant process logs, checkpoint age, transaction hashes and the exact time window before restarting anything.

Control point

Use scoped recovery. A delayed checkpoint does not automatically justify restarting unrelated services. Classify the fault first, protect keys and state, then make the smallest change that restores the affected path.

Related guides