# Validator Security ## Sensitive material Treat these as secrets: - mnemonic - `keyring.pass` - `data/node/config/priv_validator_key.json` - any Agent-side private key or heartbeat signing key if it is split from the validator account - any imported mnemonic source file Do not paste them into chat, public issues, or shared docs. ## Backups Back up at least: - `/opt/axon-node/keyring.pass` - `/opt/axon-node/data/validator.address` - `/opt/axon-node/data/validator.valoper` - `/opt/axon-node/data/node/config/priv_validator_key.json` - the mnemonic if the validator account was generated locally Keep backups offline when possible. ## Double-sign prevention - Never run the same validator signing key on two live machines at the same time. - If moving the validator, stop the old node completely before starting the new one. - Treat failover automation as high risk unless the handoff is explicit and verified. ## Agent-validator key design - The safest simple layout is to use the same validator account as the Agent account only if the operator accepts hot-key heartbeat signing risk. - A cleaner long-term layout is to separate validator consensus signing from Agent operational signing where the deployment model allows it. - Do not confuse Agent registration with validator consensus identity. Agent registration is an extra on-chain role, not a replacement for validator key hygiene. ## RPC and network exposure - Leave `P2P_EXTERNAL_ADDRESS` unset on ordinary outbound-only nodes. - Only expose `26656` when the node should accept inbound peers. - Keep admin access to the host locked down. - Do not expose key material over network shares. ## Operational hygiene - Use a dedicated machine or VM for validator duties. - Keep system time correct and disks healthy. - Monitor logs for downtime and peer churn. - Monitor Agent heartbeat freshness if the validator is also registered as an Agent. - Review upgrade notes before restarting production validators. ## Chain ID hygiene - Use `axon_8210-1` for node commands and validator operations. - Use `8210` for wallet-facing EVM tools only. - Do not mix them.