Baking on Mainnet

ℹ️ System Requirements

  • OS: Ubuntu 22.04+, Debian 12+, or macOS (other Linux distributions may work but are untested)
  • Hardware: See Hardware Requirements
  • Windows is not supported

Prerequisites

  • Ubuntu 22.04+, Debian 12+, or macOS — server or desktop with SSH access (Linux recommended for production)
  • Minimum 6000 XTZ for staking as security deposit (or 1000 XTZ with external stakers/delegators — see staking table below)
  • TezSign device for consensus and companion signing, plus a Ledger or other manager wallet for funds, staking, governance, and registering key changes
  • Hardware meeting minimum specs: 3 CPU cores, 8GB RAM + 8GB swap, 256GB SSD, reliable broadband

Table of Contents

  1. Preparation
  2. Installation (All-in-one)
  3. Installation (Advanced)
  4. Related Guides

Installation Checklist & Time Estimates

Step Estimated Time
System setup (Ubuntu, user, firewall) 15-30 min
Install TezBake ~2 min
Setup node + DAL ~5 min
Bootstrap node 30 min - 3 hours (depends on internet)
Wait for sync 5-30 min after bootstrap
Import keys ~10 min
Register as baker ~5 min
Stake XTZ ~5 min
Total active work ~1-4 hours

ℹ️ INFO: After registration, it takes up to 2 cycles (~2 days) before you receive your first baking rights.

Preparation

Installing TezBake and using it to setup your Tezos baker is very simple. You will need the following tools:

  1. Spare computer or existing computer with Linux installed. The recommended requirements are provided by Nomadic Labs
    • 3 CPU cores (arm64 or amd64/x86-64 architectures) – 2 are needed by the Octez node and 1 is needed by the Octez baker;
    • 8GB RAM + 8GB swap (or 16GB RAM);
    • 256GB SSD storage (or similar I/O performance);
    • a low-latency, reliable broadband internet connection.
  2. Ledger Nano S Plus or Nano X hardware wallet with Tezos Wallet app installed. This remains your manager wallet for funds, staking, voting, and changing baking parameters.

    ℹ️ INFO: You must use Ledger Live to install the Tezos Wallet app on your device.

  3. TezSign remote signer device - A purpose-built hardware signer for Tezos baking, based on affordable single-board computers like Raspberry Pi Zero 2W (~$20-30 in hardware). Connects via USB to your baking node and is designed to do one thing perfectly: sign baking operations securely. TezSign supports tz4 signatures required by modern Tezos protocols, which Ledger devices no longer support for baking. Unlike a general-purpose Ledger wallet, TezSign can remain connected 24/7 dedicated solely to baking. TezSign hardware and flashing details

    ℹ️ INFO: Baking with a Ledger is no longer recommended for new bakers. It’s still possible to bake with the Ledger but we recommend you implement TezSign right away.

    After generating keys on TezSign, back up the tezsign folder from the Linux-only data partition. See Back Up and Restore TezSign Data.

DAL Included by Default

DAL is part of the standard TezBake baker setup. The command below installs and configures it with the node, baker, and signer.

If you intentionally need to run without a local DAL node, see Baking Without DAL. If you want DAL on another host or IP address, use Baking with Prism.

What is the DAL? The DAL acts like an overflow area for data, where large amounts of information can be kept available to the network without overloading the core blockchain. This means Tezos can safely handle far more transactions and complex operations, because the rollups can rely on the DAL to make their data available for everyone to verify.

Installation (All-in-one)

Download and install tezbake

To begin, run the script below, which will download the latest version of TezBake and copy it to your /usr/local/bin directory. This script works with both x86_64 and arm64 architectures.

wget -q https://bake.tez.capital/install -O /tmp/install.sh && sudo sh /tmp/install.sh
# you may be prompted for sudo password

Setup Tezos node, signer, DAL and install tezbake dependencies

tezbake setup --with-dal
# you may be prompted for sudo password

Bootstrap Tezos node

At this stage, it’s necessary to bootstrap your node, meaning to download a snapshot (copy) of the blockchain so you don’t have to synchronize block-by-block, which would take many hours or days. We use a “rolling” snapshot which contains recent blockchain history (suitable for baking) rather than the complete archive from genesis.

tezbake bootstrap-node <url> <block_hash>
# example:
tezbake bootstrap-node https://snapshots.tzinit.org/mainnet/rolling BL8Vq12HX6MJWkB6RLgQAYRKpKZ5fyMoLpWzAoQ6mh55gkKHiQU

Get the block hash and block level from the snapshot provider’s website: https://snapshots.eu.tzinit.org/mainnet/rolling.html

ℹ️ INFO: The <block_hash> argument is optional but encouraged for security verification. If you don’t want to bother with this protection, you can skip it for a faster bootstrap.

Verify the hash/checksum provided by the snapshot provider to ensure the snapshot is valid. You can find the correct hashes for all blocks on Tezos blockchain explorers such as: https://tzkt.io/blocks

Simply search for the block level in the search field and verify the hash of the block matches the hash provided by the snapshot provider.

Start Tezos node

After importing the snapshot, you need to start your node and wait until it’s fully synchronized before importing your signing keys.

tezbake start

After starting the node, run the following command over and over every few minutes and monitor the “level” displayed.

tezbake info

Understanding “Level”

The level is the current block height (block number) on the blockchain. To verify your node is synchronized:

  1. Check the level shown by tezbake info
  2. Compare it to the latest block on https://tzkt.io
  3. Once they match, your node is fully synced and you can proceed

ℹ️ INFO: Both blockchain explorers also provide Ghostnet and Testnet views. Make sure you’re looking at the correct network (mainnet).

Import baking keys and register as baker

Now that your node is in full sync, you can proceed with the most important part: (1) your baker parameters import into your baker node and (2) submit your baker registration on the blockchain.

You will have to first fund your baker address with enough tez (6000 minimum) to cover the bond requirement. You can do this by sending tez from your main account or exchange to the baker address.

Understanding Baker Key Roles

Before choosing your signing setup, it’s essential to understand the three key roles in Tezos baking — manager, consensus, and companion — and how they relate to each other. These apply to all baker setups, not just TezBake.

📖 See Baker Key Architecture for the full explanation, including the recommended Ledger + TezSign architecture, key lifecycle, registration process, and common misunderstandings.

Quick summary:

  • Manager key — Your permanent baker address. Controls funds, governance, and has sole authority to set/rotate consensus and companion keys.
  • Consensus key — Signs blocks and attestations. Defaults to the manager key; can be rotated to a separate key (e.g. TezSign tz4).
  • Companion keyMandatory when consensus key is tz4. Signs DAL payloads. Always a separate tz4 key.

⚠️ If your consensus key is tz4, a companion key is mandatory. Without it, your baker forfeits ~10% of baking rewards.

TezSign is the recommended signing path for mainnet baking. Your Ledger remains the manager key for funds, staking, governance, and registering key changes. TezSign holds the online consensus and companion keys that sign blocks, attestations, and DAL payloads.

1. Prepare the TezSign device

Use a Raspberry Pi Zero 2W or Radxa Zero 3W with a freshly flashed TezSign image. Connect the device to the baker host using the OTG/data USB port.

For hardware choices, SD card recommendations, image flashing, and correct USB ports, see TezSign Hardware and Flashing.

2. Enable USB access

Install the TezSign udev rules and add your user to the required group:

curl -fsSL https://raw.githubusercontent.com/tez-capital/tezsign/refs/heads/main/tools/add_udev_rules.sh | sudo bash
sudo usermod -aG plugdev $USER

Ubuntu username note: Ubuntu does not allow capital letters in usernames.

Log out and log back in so the group membership takes effect.

3. Initialize the TezBake TezSign platform

This creates the TezSign signer configuration on the baker host:

tezbake setup-tezsign --init --platform
4. Initialize TezSign and generate keys

Initialize the TezSign device:

tezbake tezsign init

You will be prompted to set the TezSign master/key decryption password. Save this password somewhere safe. It cannot be changed later, and the TezSign backup is not useful without it.

Generate the consensus and companion keys directly on the TezSign device:

tezbake tezsign new consensus companion

The consensus key signs blocks and attestations. The companion key signs DAL payloads. Both are required for tz4/BLS baking.

5. Back up the TezSign data

Before relying on the TezSign device for production baking, back up the whole tezsign folder from the Linux-only data partition and restore it to at least two TezSign-flashed backup SD cards:

Back Up and Restore TezSign Data

This is not required to get a first baker running, but it is required for sane recovery.

6. Import TezSign keys into TezBake

For the recommended Ledger-manager + TezSign-consensus setup, import the TezSign consensus key through the local baker alias and the DAL companion key through companion:

tezbake setup-tezsign --import-key=consensus --key-alias=baker
tezbake setup-tezsign --import-key=companion --key-alias=companion

Tell the baker to load the DAL companion key in addition to the default baker key:

tezbake node modify --set configuration.additional_key_aliases '["companion"]'
tezbake upgrade

Verify the alias configuration:

tezbake node show configuration.additional_key_aliases
tezbake info --dal

The expected configuration.additional_key_aliases value is ["companion"]. The consensus key is already loaded through the default baker alias.

7. Get public keys and proofs

To register TezSign keys on-chain, get the public keys and proofs of possession:

tezbake tezsign status --full

Copy the BLpk... public key and proof of possession for both consensus and companion.

8. Register consensus and companion keys on TezGov

Use TezGov with your manager Ledger:

  1. Connect with the Ledger that controls your baker manager address.
  2. Open Baker Management -> Keys.
  3. Set the consensus key using the TezSign consensus BLpk... and proof of possession.
  4. Set the companion key using the TezSign companion BLpk... and proof of possession.
  5. Confirm the operation on your Ledger.

Both keys activate after 3 cycles. Your old signing setup remains active until the new keys take over. Do not remove or disable the old active signing setup during the activation window.

Monitor activation at:

https://tzkt.io/<your_manager_address>/secondary-keys
9. Unlock and verify

After the TezSign keys are active, unlock them:

tezbake tezsign unlock

Check TezSign status and overall baker status:

tezbake tezsign status
tezbake info
tezbake info --dal

If the baker log says a tz4 consensus key “has not been provided to the baker,” recheck the --key-alias imports and configuration.additional_key_aliases.

For TezSign backup, failover, or migration, you can set the high-watermark level for each TezSign signing alias before the backup signs again:

tezbake tezsign advanced set-level consensus <level>
tezbake tezsign advanced set-level companion <level>

Use the current chain level, or current level plus a small safety margin during failover. Replace consensus or companion if your TezSign device uses different key aliases.

The options below are retained for compatibility and testing. New mainnet bakers should use the TezSign path above.

(Option 2 - DEPRECATED) Import Ledger key to TezBake signer

ℹ️ INFO: Baking with a Ledger is no longer recommended for new bakers. TezSign is the preferred signing solution. These instructions remain for existing Ledger bakers.

Derivation Path

The derivation path controls which key on your Ledger is used for baking. You can specify any supported curve and path:

Path Curve Notes
P-256/0h/0h tz3 Recommended — faster signing
ed25519/0h/0h tz1 Default — slower, widely supported
secp256k1/0h/0h tz2 Alternative — faster than ed25519

💡 TIP: P-256 and secp256k1 offer faster signing than ed25519. If you’re setting up a new baker, use P-256. If you’re migrating an existing baker, keep the same curve you’ve been using.

Using a non-default derivation path adds an extra layer of security but also complexity. Make sure your choice is clearly documented for your own records. To find out which key a given path corresponds to, go to https://gov.tez.capital and log in with Ledger — it shows the address for the default path.

Importing the Key

Make sure your Ledger has the Tezos Baking app open before running this command.

tezbake setup-ledger --platform --import-key="P-256/0h/0h" --authorize --hwm 1

The Ledger will ask you twice to confirm the operation. Check that the baker address shown on the Ledger screen is the one you intend to use.

💡 TIP: If you’re importing for the second time after a failed attempt, add --force to override the previous import.

⚠️ Ledger Baking App Behavior

  • The Ledger must stay on the Tezos Baking app at all times while baking
  • The screensaver activating is normal — baking continues
  • Do NOT open Ledger Live while baking — it will disconnect the signer
  • To vote or transfer funds, stop the baker first, switch apps, then switch back
High Watermark (HWM)

The --hwm 1 flag sets the High Watermark — a security counter stored on the Ledger that records the highest block level it has ever signed. The Ledger refuses to sign any block at or below this level, which prevents accidentally signing the same block twice.

  • New baker / new device: Use --hwm 1 (the default command above is safe).
  • Existing baker returning after a break: Set --hwm to the current block height to prevent signing any historical blocks. You can find the current level at https://tzkt.io.
  • Migrating from mainnet to testnet: Testnet block levels usually start at 1, which is below a mainnet HWM of millions. Use a testnet-specific device, never reuse a mainnet device.

💡 TIP: The HWM is device-specific. Each Ledger maintains its own watermark independently.

Verification

After importing, confirm the key was imported successfully:

tezbake info

Look for your baker address in the output. If it appears and the signer status shows as connected, the import was successful. See Monitoring Logs and Status for a full explanation of the tezbake info output.

⚠️ Double Baking Prevention

🚨 CRITICAL: Double Baking

What is Double Baking? Running two bakers with the same key on the same network simultaneously. This means your key signs conflicting blocks or attestations, which is treated as a malicious attack. The protocol detects this and slashes (confiscates) your staked tez as punishment. See Slashing Explained for penalty details.

Critical Rules:

  • Never run two bakers with the same key — even briefly, even on different machines
  • Never use your TezSign backup device to bake — backup devices are only for emergency failover
  • Always use separate devices for testnet — never reuse a mainnet Ledger or TezSign on a testnet
  • Always use separate computers per network — one machine for mainnet, a different machine for testnet
  • The HWM helps prevent accidental double baking, but careful operational procedures are your primary defense

(Option 3 - INSECURE) Import Soft key to TezBake node

⚠️ WARNING: Companion Key is Mandatory

When using a tz4 (BLS) key as your manager/consensus key, you must also register a separate tz4 companion key. See the key roles overview above for details.

ℹ️ In this soft key setup: the baker key is your manager address AND your initial consensus key — both roles live at the same tz4 address. There is no separate hardware device; both keys are unencrypted files on disk.

Step 1 — Generate the baker key (this becomes your manager address AND initial consensus key):

tezbake setup-soft-wallet --generate bls --key-alias baker

Step 2 — Generate the companion key:

tezbake setup-soft-wallet --generate bls --key-alias companion

💾 Backup both keys. You can retrieve each secret key with:

tezbake signer client show address baker --show-secret
tezbake signer client show address companion --show-secret

Store these in a secure, offline location. Never share them.

Step 3 — Get the public key (BLpk) and Proof of Possession (POP) for each key:

The POP is a cryptographic proof that you own the private key. It is required when registering tz4 keys on-chain.

tezbake signer client show address baker
tezbake signer client get proof of possession for baker

tezbake signer client show address companion
tezbake signer client get proof of possession for companion

Note the BLpk... public key and POP output for both keys — you will need them in the next step.

Step 4 — Register the consensus and companion keys:

  1. Go to gov.tez.capital and connect with your baker’s manager key (Ledger Wallet app)
  2. Navigate to Baker Management → Keys
  3. Set your Consensus Key: paste the BLpk... public key and POP for baker
  4. Set your Companion Key: paste the BLpk... public key and POP for companion
  5. Confirm both operations on your Ledger

Option B: CLI

tezbake signer client set consensus key for baker to baker
tezbake signer client set companion key for baker to companion

⏱️ Activation: Both keys take effect after 3 cycles (~3 days). Monitor activation at: https://tzkt.io/<your_baker_address>/secondary-keys

Step 5 — Add the companion key alias to the baker configuration:

tezbake node modify --set configuration.additional_key_aliases '["companion"]'
tezbake upgrade

Verify it was set:

tezbake node show configuration.additional_key_aliases

Register as baker on the Tezos Mainnet

For this step your node level must be synced with the latest block on the blockchain explorer. You must also temporarily open your Ledger Tezos Wallet app to register your key as a baker (note: as well as when voting). For all other baker operations, you must use the Tezos Baking app.

Using TezGov

Use the Become a Baker button on the https://gov.tez.capital portal.

tezbake register-key

ℹ️ When Registration is Required:

You must register your baker if:

  • You’re setting up a new baker (first time)
  • Your baker has been inactive for over 2 cycles (~2 days)
  • Your baking rights have stopped appearing in the schedule

You do NOT need to register if your baker has been inactive for less than 2 cycles (~2 days). Check your baking rights schedule to confirm if re-registration is needed.

Stake your baking XTZ security deposit

To bake on the Tezos network, you need to stake your XTZ security deposit. This is a slashable security deposit that you will get back when you stop baking.

Staking Requirements:

The minimum bond to get baking rights is 6000 XTZ. However, you have several options to meet this requirement:

Your XTZ From Stakers From Delegators Notes
6000+ 0 0 Simplest - full self-stake
1000 5000 0 Requires 5X multiplier
1000 0 15,000 Pure delegation model
1000 2000 9000 Mixed approach

How delegation weight works:

  • Your stake + Stakers: Each XTZ counts as 1.0 toward the requirement
  • Delegators: Each XTZ counts as ≈0.33 (1/3) toward the requirement
  • Formula: (Your XTZ + Staker XTZ) + (Delegator XTZ × 0.33) ≥ 6000

Example calculations:

  • 1000 (self) + 5000 (stakers) = 6000 ✓
  • 1000 (self) + (15,000 delegators × 0.33) = 1000 + 5000 = 6000 ✓
  • 1000 (self) + 2000 (stakers) + (9000 delegators × 0.33) = 1000 + 2000 + 3000 = 6000 ✓

Using TezGov to stake

Use the Stake button on the https://gov.tez.capital portal.

You can stake your security deposit by running the following command, after opening your Ledger Tezos Wallet app:

tezbake signer client stake 6000 for baker

Import your DAL attester profile

Your baker needs to register as a DAL attester to participate in the Data Availability Layer. This tells the network which DAL node to use for your baker.

tezbake update-dal-profiles --auto
# If for some reason the auto method is not working, use the command below to bypass it.
tezbake update-dal-profiles <your-baker-address> --force

ℹ️ INFO: Use your baker address here. In the recommended TezSign setup, this is usually your manager address (tz1, tz2, or tz3), not your TezSign consensus key or companion key. Soft-key test setups may use a tz4 baker address.

Verify both DAL profile and companion-key wiring:

tezbake info --dal
tezbake node show configuration.additional_key_aliases

For the recommended TezSign setup above, additional_key_aliases should include companion. If the baker log says the active tz4 consensus key “has not been provided to the baker,” return to the TezSign alias configuration step and make sure the imported aliases match the aliases TezBake is loading.

Baker Per-Block Votes

Per-block voting is separate from protocol amendment voting on TezGov.

Use the supported TezBake command path for the Liquidity Baking vote:

tezbake node modify configuration.VOTE_FILE.liquidity_baking_toggle_vote pass

Accepted values: on, off, pass.

Verify current value:

tezbake node show configuration.VOTE_FILE.liquidity_baking_toggle_vote

If you need to apply node config changes immediately:

tezbake upgrade --node

If your vote file is already correct, no restart/apply is required just to keep baking with that vote.

For details, see Per-Block Votes.

Installation (Advanced)

You can install different TezBake components on different systems. For example, you can have the Signer, Node and DAL on 3 different machines, all communicating together.

Follow the steps in Baking with Prism

As with everything in life, complexity adds more failure points. Only separate the TezBake components if you have a compelling use case.

What’s Next

Your baker is running! Here’s what to set up next:

  1. Monitor your baker — Track sync status and performance
  2. Set up TezWatch alerts — Get notified about missed attestations
  3. Configure TezPay — Automate delegator payouts
  4. Install TezPeak dashboard — Visual monitoring interface
  5. Set up TezGov — Participate in governance
  6. Review best practices — Security, UPS, monitoring

TezSign Follow-Up KBs

These are not all required to get your first baker running, but you should not skip them. Do them after your baker is online and stable.

Next Steps:

Advanced Configurations:

Troubleshooting:

Any questions/comments/concerns? Please contact the Tez Capital team on Discord or Telegram