Asentum

Run a Node

Validator Key Backup

How to survive losing a box · Estimated read time: 5 minutes

TL;DR

Your validator has two different keys doing two different jobs: the operator key (your wallet) and the validator signing key (used for consensus). Back up the operator key. Do not try to "back up" the signing key in a way that lets you run it on two machines — that's a double-sign and ends your validator permanently.

Two different keys

  • Operator key — a regular Dilithium3 wallet keypair. Holds your ASE, sends transactions, bonds stake, collects rewards. This is what you back up with a recovery phrase.
  • Validator signing key — a separate Dilithium3 keypair bound to your validator slot. Signs pre-votes, pre-commits, and block proposals. Must only exist on one machine at a time, ever.

Separating them is the point. You can hot-swap or evacuate your operator key for rewards without ever risking the signing key, which is the one that gets you slashed if it's on two machines at once.

What to back up

  • Operator recovery phrase — your wallet. Keep offline, duplicated, in different physical locations. See Recovery Phrases.
  • Validator pubkey — not secret. Write it down anyway so you can verify on-chain that a new machine is still running your identity.
  • Chain state — optional. Useful for faster recovery but not required; a fresh box can re-sync from peers.

How to back up

From the desktop app: Settings → Back up wallet → Show recovery phrase. Write the 24 words down on paper. Store in at least two physically separate locations (home + safe deposit, for example).

From the CLI:

asentum account export-phrase

Never email, screenshot, or paste your phrase into a cloud service.

Restoring after a loss

Box died, disk fried, you lost the machine — here's what happens:

  1. Confirm the old machine is truly dead — not just "seems down." Running two signers is how you get slashed.
  2. Provision a new box and install Asentum (VPS, CLI, or desktop).
  3. Restore the operator key from recovery phrase. Your ASE and stake are already on-chain — no migration needed.
  4. Generate a new validator signing key on the new machine.
  5. Rotate your validator signing key on-chain via a rotateKey transaction signed by your operator wallet.

You stay in the active set — you just sign with a different key starting at the rotation block. The old signing key stays tombstone-safe because it's no longer associated with your validator.

What NOT to do

  • Don't run two signers at once. Not for failover, not for "high availability," not even briefly. The chain will detect it and slash.
  • Don't back up the signing key for hot restore. If a machine dies, generate a new signing key and rotate — don't resurrect the old one onto a new box.
  • Don't store the recovery phrase digitally. No iCloud Notes, no password manager, no screenshot. Paper, engraved metal, memorized — that's it.
  • Don't skip the backup. The single most common cause of lost funds in crypto is "I was going to back it up later."

Read next

Use the Network

Recovery Phrases →

Run a Node

Slashing Risks →