Validator Security

Best practices for securing your Realm validator

Overview

Running a validator requires strong security practices. A compromised validator can result in slashing and loss of staked funds.

Critical

Never expose your validator keys. Keep backups in secure cold storage.

Security Layers

The Realm validator ISO includes multiple security layers:

LUKS2 Encryption - Full disk encryption with Argon2id
AppArmor - Mandatory access control for realmd
nftables - Kernel-native firewall
fail2ban - Intrusion prevention
AIDE - File integrity monitoring
Secure Boot - TPM2 attestation

Firewall Configuration

nftables.conftext

# /etc/nftables.conf
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    
    # Allow established connections
    ct state established,related accept
    
    # Allow SSH (rate limited)
    tcp dport 22 limit rate 3/minute accept
    
    # Allow gRPC API
    tcp dport 9090 accept
    
    # Allow P2P
    tcp dport 26656 accept
    udp dport 26656 accept
  }
}

Key Management

Key Security

Your validator key signs blocks. If compromised, an attacker can double-sign and cause slashing.

Generate keys offline on an air-gapped machine
Store encrypted backups in multiple secure locations
Consider hardware security modules (HSM) for production
Never transmit keys over the network

Monitoring

Set up alerts for:

Missed blocks
Abnormal resource usage
Failed login attempts
File integrity changes

Slashing Conditions

Validators are slashed for:

Double signing - 5% stake slashed
Downtime - 0.1% per missed epoch
Misbehavior - Up to 100% slashed