Baking with Consensus Key

⚠️ WARNING: tz4/BLS Signing Requirements

tz4/BLS signing migration now requires both a Consensus Key AND a Companion Key.

Key Points:

  • Bakers must set their new consensus and companion keys together when first changing to tz4 signing
  • Later, you can rotate just your consensus key if desired
  • The companion key is mandatory for tz4 BLS signing (handles DAL-related duties)
  • When you see “companion,” think “DAL”
  • Consensus and companion always go together

In Practice:

When activating a Consensus Key, you must also have a Companion Key activated. Both keys are used together for baking simultaneously.

ℹ️ INFO - Video Outdated: The steps below have been updated, but the video does not include the “Companion Key” step which is now mandatory. Follow the written instructions to set both your consensus key and companion key.

ℹ️ INFO - tz1-3 Users: If you are baking with a tz1-3 key, you do NOT need a companion key. All instructions below assume tz4 consensus + companion. If using an old tz1-3 key, simply omit the companion key steps.

Follow along on Youtube!

Table of Contents

  1. Preparation
  2. BLS/tz4 Consensus and Companion key setup
  3. PRE-BLS (DEPRECATED) Ledger Consensus key setup
  4. Reverting from tz4/BLS back to tz1/tz3 keys

Prerequisites

Preparation

For this tutorial, you’ll need to have already followed one of the following tutorials:

A Tezos consensus key is a cryptographic key specifically used for signing blocks and consensus operations (attesting blocks) in the Tezos blockchain. Introduced to improve security and operational flexibility, it allows bakers (validators) to delegate block-signing responsibilities to a different key than the one associated with their primary baking account.

A Tezos companion key was not necessary to use in the tz1-tz3 address era. With the introduction of tz4 or BLS consensus signing (aggregating signatures), it is now necessary to use a separate companion key, in addition to the separate consensus key to validate blocks in the tz4 era. Both the consensus key and the companion key bake together at the same time. The consensus key works with the consensus and the companion key works with the DAL.

This separation of roles is useful for reducing the exposure of the primary baker key (which holds funds and has broader permissions) by isolating consensus-related tasks to a different key. If compromised, only the consensus operations are affected, not the funds held by the baker’s main account.

🚨 CRITICAL: Key Compromise Risks

If Consensus Key is Compromised:

  • Attacker can sign blocks and endorse operations
  • Attacker can maliciously double-bake or double-attest on your behalf, slashing your funds. See Slashing Explained
  • Attacker can transfer all baker funds NOT locked/staked in the security deposit using the drain operation

Protection Measures:

  • Lock/stake ALL baking funds in the security deposit to eliminate drain risk
  • Rotate the consensus key before stopping baking operations and unstaking the security deposit

If Companion Key is Compromised:

  • Attacker can cost you 10% of your baking income due to DAL penalties

BLS/tz4 Consensus and Companion key setup

Recommended Architecture: Ledger (manager) + TezSign (consensus + companion)

The recommended baker setup separates key responsibilities across two hardware devices:

Device Role Key type Used for
Ledger Manager key tz1/tz2/tz3 Funds, governance, staking, registering/rotating consensus and companion keys. Used occasionally — stays cold.
TezSign Consensus key tz4 (BLS) Signs every block and attestation. Online 24/7.
TezSign Companion key tz4 (BLS) Signs DAL content in attestations. Online 24/7. Required when consensus key is tz4.

Why this separation matters:

  • Your funds are never on the hot signing path. TezSign cannot transfer your tez — only the manager key (Ledger) can do that.
  • If TezSign is compromised, an attacker can cause double-signing penalties but cannot drain your wallet. Rotate the consensus key from TezGov immediately using your Ledger.
  • The Ledger is what you connect with in TezGov to register your TezSign keys on-chain. After that, it only comes out for governance votes, staking changes, or key rotations.

⚠️ The companion key is mandatory when your consensus key is tz4. Both must be registered together. Without the companion key, your baker will attest without DAL payloads and forfeit ~10% of baking rewards.

ℹ️ The manager always controls consensus. The manager key has sole authority to set or change the consensus and companion keys. The consensus key can sign blocks on the manager’s behalf, but it cannot change its own registration.

Setup Steps

Step 1 — Follow the TezSign guide to generate your consensus and companion keys on the device:

Baking with TezSign

Step 2 — Register the keys on-chain using TezGov (recommended):

  1. Connect to gov.tez.capital with your Ledger (manager key, Tezos Wallet app)
  2. Navigate to Baker Management → Keys
  3. Set your Consensus Key: paste the BLpk... public key and Proof of Possession (PoP) from tezbake tezsign status --full
  4. Set your Companion Key: paste the BLpk... public key and PoP for the companion
  5. Confirm both operations on your Ledger

Step 3 — Wait 3 cycles (~3 days) for activation:

Monitor at https://tzkt.io/<your_manager_address>/secondary-keys

Once active, TezSign handles all block signing. Your Ledger is no longer needed for day-to-day baking operations.

PRE-BLS (DEPRECATED) Ledger Consensus key setup

Import the consensus key from a Ledger

Plug in your consensus key Ledger device and open the Tezos Baking app.

Run the following command to list the available Ledgers:

tezbake list-ledgers

Note the 4 word ID of the Ledger you want to use for the consensus key.

Run the following command to import the consensus key:

tezbake setup-ledger --platform --import-key="P-256/0h/0h" --authorize --ledger-id "apple-banana-coconut-date" --hwm 1 --key-alias=consensus

ℹ️ Configuration Notes:

  • Replace the --ledger-id value with the 4-word ID of the Ledger you want to use for the consensus key
  • We use the P-256 (tz3) curve for the consensus key because it’s the fastest on Ledger hardware and the most portable option for both on-premise and cloud hardware security modules (HSMs)
  • The consensus key is only used for signing blocks and attestations, so it doesn’t need to be the same curve as the baker key
  • Many bakers move from a tz1 key to a tz3 key for the consensus key to improve performance

This will import your consensus key Ledger device and authorize it for baking. Leave the baking app running on the Ledger device.

Modify the baking configuration

Add the consensus key alias so the baker knows to inject it alongside your default baker key:

tezbake node modify --set configuration.additional_key_aliases '["consensus"]'

You can verify it was set:

tezbake node show configuration.additional_key_aliases

📖 See Key Aliases for the full reference on managing key aliases, including the difference between additional_key_aliases and key_aliases.

Re-run the TezBake upgrade and merge your configuration when asked:

tezbake stop
tezbake upgrade
tezbake start

Register the consensus key

Get your consensus key public key hash:

cat /bake-buddy/node/data/.tezos-client/public_keys

The public key is the one in the key field.

ℹ️ Example: A public key for a tz3 address looks like: p2pk66fWs9UZ6T4nVTfHfV9PtuJje4xYBh2RVo4517a8VTj6Cny7ZXY

To register the consensus key, run the following command:

tezbake signer client set consensus key for baker to consensus

You can also set your consensus key on TezGov via https://gov.tez.capital.

The new consensus key will become effective after 3 cycles (~3 days). For example if you set your consensus key in cycle 1000, it will be effective in cycle 1003.

Once the consensus Ledger becomes effective, you can unplug your original Ledger device as it’s no longer needed for baking.

Confirm the consensus key is working

Once the consensus key becomes effective, you will see a change in the baking logs by showing the consensus key operating on blocks and attestations on behalf of the baker key.

Dec 18 05:14:26 bb baker[2428547]: Dec 18 05:14:26.449: injected attestation op5RtCGypnrri9FyYHy91haPWB6CpouxNABcgM7BSUmr81p27G4 for
Dec 18 05:14:26 bb baker[2428547]: Dec 18 05:14:26.449:   consensus (tz3P9WvzULMuss5iDk4tjNQYWkwSrLAjUuh7)
Dec 18 05:14:26 bb baker[2428547]: Dec 18 05:14:26.449:   on behalf of tz1S5WxdZR5f9NzsPXhr7L9L1vrEb5spZFur for level 7403648, round
Dec 18 05:14:26 bb baker[2428547]: Dec 18 05:14:26.449:   0

To view your baker logs, run the following command:

tezbake node log baker -f

Reverting from tz4/BLS Back to tz1/tz3 Keys

If you were baking with tz4 keys (via TezSign) and want to revert to a tz1/tz3 key (Ledger or soft key), follow these steps.

ℹ️ INFO: tz1/tz3 keys do not require a separate companion key. When reverting, you set both the consensus key and the companion key to the same tz1/tz3 address — this effectively removes the tz4 companion requirement.

1. Import your tz1/tz3 key into TezBake

If you previously removed your tz1/tz3 key, re-import it. For a Ledger key:

tezbake setup-ledger --platform --import-key="P-256/0h/0h" --authorize --hwm 1 --key-alias=consensus

Or for a soft key, import it under the appropriate alias.

2. Set both consensus and companion keys

You can do this via TezGov (recommended) or the CLI.

Go to gov.tez.capital → Baker Management.

Set both fields to your tz1/tz3 address:

  • Consensus key → your tz1/tz3 address
  • Companion key → the same tz1/tz3 address

Option B: CLI

Replace <tz1_alias> with the alias you imported your tz1/tz3 key under (e.g. consensus):

tezbake signer client set consensus key for baker to <tz1_alias>
tezbake signer client set companion key for baker to <tz1_alias>

Setting the companion key to the same tz1/tz3 address as the consensus key tells the protocol you are no longer using a separate tz4 companion.

3. Wait 3 cycles (~3 days) for activation

The new key assignment takes effect after 3 cycles. Monitor activation status:

  • On TzKT: https://tzkt.io/<your_tz1_address>/secondary-keys
  • Via CLI: tezbake info

4. Remove companion from additional_key_aliases

Once the new keys are active, remove the companion alias since it is no longer needed:

tezbake node modify --remove configuration.additional_key_aliases '"companion"'
tezbake upgrade

5. (Optional) Remove TezSign backend

If you switched to the direct TezSign backend, revert it:

  1. Open /bake-buddy/signer/app.json and remove the "BACKEND": "tezsign" line from the configuration block.
  2. Apply and restart:
tezbake upgrade --signer
tezbake stop --signer && tezbake start --signer

Any questions/comments/concerns? Please contact the Tez Capital team on Discord or Telegram