Skip to main content

Step 2: Set up baker accounts

In this section you use the Octez client to set up three accounts for your baker:

  • The baker key itself (also called the manager key) registers as a delegate, manages the baker's stake, participates in governance, and manages so-called auxiliary keys (consensus keys and companion keys).
  • The consensus key is the key that the baker uses to sign consensus operations (preattestations and attestations) and blocks.
  • The DAL companion key is the key that the DAL node uses to sign DAL data attestations.

Why set up a consensus key?

Using a separate consensus key is not required but it is good security practice, because it enforces separation of concerns. Signing consensus operations incurs no fees, so you can set up a consensus key with no tez. You can generate and use this key on a remote machine that runs the baker and keep the baker key with your staked tez in a more secure location to reduce risk to your funds. This prevents you from having to move private keys between machines, which is inherently dangerous.

If the consensus key is compromised or lost, you can create a new consensus key and switch the baker to it without changing how your tez is staked and delegated and without moving your delegators and stakers to a new account. In this way you can avoid transferring or backing up the consensus key or you can store it in a Key Management System (KMS) or Hardware Security Module (HSM) where no one has access to its private key.

You must still take care to protect the consensus key. The active consensus key can be used to drain the spendable tez balance from the baker key. Also, a compromised consensus key may be misused for double baking, which is punished by slashing funds. For these reasons, you must keep the consensus key secure like all other keys. If your consensus key is compromised (or you suspect it might be), rotate it immediately as described in Changing the consensus key. Because the activation delay for a new consensus key is shorter than the unstaking delay, you can change the consensus key before a malicious user can use the compromised key to drain the staked funds.

In general, it is a good practice to rotate consensus keys often, and bakers are advised to systematically rotate consensus keys when performing a substantial unstake operation.

Consensus keys also allow you to deploy a replacement baker setup quickly if your main baker setup fails and you cannot access it. For example, if you are traveling when your baker setup fails and you don't have quick access to the physical hardware or signer, you can switch consensus keys and deploy a new server in the cloud to run until you have physical access to the server.

For more information about consensus keys, see Consensus key in the Octez documentation.

Aggregated attestations

Starting with protocol Tallinn, bakers can be more efficient by aggregating attestations from different bakers into a single operation. To take advantage of aggregated attestations, the key that bakers sign attestations with (the consensus key, or if a consensus key is not used, the baker key) must be a tz4 key, which is generated with the BLS signature scheme.

To generate a tz4 key, pass the argument -s bls to the Octez client, as in this code:

octez-client gen keys my_consensus -s bls

Why set up a DAL companion key?

A DAL companion key is required if you are using a tz4 consensus key. If you are not using a tz4 consensus key, using a DAL companion key is not required but, like using a consensus key, it allows the DAL node to aggregate attestations to make them more efficient.

DAL companion keys must be tz4 keys, generated with the argument -s bls, as in this example:

octez-client gen keys my_companion -s bls

The DAL companion key does not need any tez to oprate and cannot drain funds from the baker key.

For more information about companion keys, see Companion key in the Octez documentation.

Creating the accounts

In this section, you use the Octez client to create these accounts and set them up for baking.

  1. Create or import an account in the Octez client to be the baker account (sometimes called the "manager" account). The simplest way to get an account is to use the Octez client to randomly generate an account. This command creates an account and associates it with the my_baker alias:

    octez-client gen keys my_baker

    If you do not intend to use a consensus key, pass the -s bls argument to generate a tz4 baker key:

    octez-client gen keys my_baker -s bls

    You can get the address of the generated account with this command:

    octez-client show address my_baker

    You can check the liquid balance of the account with this command:

    octez-client get balance for my_baker

  2. Ensure your account has at least 6,000 tez to stake, plus a small liquid amount for transaction fees.

    If you are using a testnet and need more tez, you can get tez from the testnet faucet. For example, if you are using Shadownet, use the Shadownet faucet linked from https://teztnets.com/shadownet-about to send tez to the baker account.

    Running a baker requires staking at least 6,000 tez, but the more tez it stakes, the more rights it gets and the less time it has to wait to produce blocks and make attestations. However, be aware that getting large amounts of tez from the faucet may take a long time (sometimes more than one hour) to prevent abuse of the faucet. Consequently, some large requests may time out or fail and need to be resubmitted.

    When the account receives its tez, it owns enough stake to bake but has still no consensus or DAL rights because it has not declared its intention to become a baker.

  3. (Recommended) Set up a separate account to be the consensus key. This command creates an account and associates it with the consensus_key alias:

    octez-client gen keys consensus_key -s bls

    The consensus key does not need any tez.

  4. (Recommended) Set up a separate account to be the DAL companion key. This command creates an account and associates it with the companion_key alias:

    octez-client gen keys companion_key -s bls

    The companion key does not need any tez.

  5. Register the baker account as a delegate and set its consensus key and DAL companion keys (if you want to use them) by running the following command:

    octez-client register key my_baker as delegate --consensus-key consensus_key --companion-key companion_key

    If you are not using a consensus key and/or a companion key, omit the --consensus-key and/or --companion-key arguments.

  6. Stake at least 6,000 tez with the account, saving a small liquid amount for transaction fees. Staked tez is temporarily frozen and cannot be spent, so you need some unstaked tez to pay transaction fees.

    Pass the amount to the stake command, as in this example:

    octez-client stake 6000 for my_baker

    You can check how much you have staked by running this command:

    octez-client get staked balance for my_baker

    You can also check the full balance of the account (staked + non-staked) with this command:

    octez-client get full balance for my_baker

Now the baker account has staked enough tez to earn the right to make attestations, including attestations that data is available on the DAL. If you set up a consensus key, that key is authorized to sign consensus operations on behalf of the baker account. However, the accounts do not receive these rights until a certain amount of time has passed.

While you wait for attestation rights, continue to Step 3: Run an Octez DAL node.

Last updated on