Thinking about running your own baker? Awesome! Your participation is essential to what makes Tezos a decentralized network.
While baking does have its benefits, it's important to understand the risks - including key theft, DDoS attacks, and intrusion - and which apply to you. A large baker should consider all possible threats and may want to invest in physical security. Smaller bakers may find that simpler setups make more sense for them and good key custodianship is sufficient. Ultimately, you should decide which of these suggestions to implement.
No matter how big or small a baker you are, we hope you find this guide to be a comprehensive starting point for learning about how to protect your baker. While we can't guarantee following these recommendations will prevent or mitigate an attack, you will be better protected by following them.
Exercise Best Practices
Before we get into more specific recommendations, it's important to get the basics right. Use strong, unique passwords. The better your passwords, the harder they are to penetrate. Install security patches and software updates as they become available so you are protected from known vulnerabilities. Ensure your baker has a quality internet connection (high speed, low latency) so it will be online when it is your baker's turn to bake.
It's also wise to keep software installations on your baking machine to a minimum. If you are using a dedicated machine for baking, you're well on your way! Each installation is a potential vector for someone to enter your infrastructure.
Protect Your Private Keys
The loss of private keys is a primary concern for any baker. Should someone steal your keys, they'll be able to take your tez leaving you no recourse for recovering them. A baker has to utilize an account where tez are stored. By design, this encourages bakers to take appropriate measures to protect their private keys. Storing the key to this account in a wallet that is connected to the internet increases the chance of theft.
Hardware wallets are a great solution; they ensure your private keys never leave the device. You can bake with your tokens stored on a Ledger Nano S hardware wallet by using our Tezos Baking Application (Both our Baking and Wallet Applications for the Ledger Nano S are available here). Not only does this help protect your tokens, it has additional features which 1) help prevent double baking and 2) verify the operations your baker is asked to sign, ie. confirms they are block and endorsement signatures and not transactions.
You can also use other means of storing cryptographic keys, such as a Hardware Security Module (HSM). Major cloud computing companies, such as Amazon and Google, offer these as services. Depending on your setup, you may have other options such as TPM 2.0 or Intel's SGX Enclave.
Run Your Own Node(s)
The decentralized Tezos network is formed by nodes which all run Tezos software and maintain the same distributed ledger. These nodes 'gossip'; they communicate, telling each other who they've connected to and who they trust. It's through this communication that the network and consensus are formed.
Each baker relies on a single node as its gateway to the blockchain. When the baker bakes or endorses a block, it tells the node it's connected to that it has done so; that node then tells the nodes its connected to and so on and so forth, proliferating knowledge of the event. Because the node your baker connects to plays a crucial role in ensuring your baker's actions are accepted by the network, trusting this node is essential. For that reason, it is best to control it yourself.
Running the node your baker connects to will improve the stability of your operations, but your node can also be attacked and therefore should be protected. If it is successfully attacked, the node won't be able to inform the network of your baking activity. Your baker won't lose its security deposit; it just won't bake its block. In addition to some built-in protections, Tezos has an optional feature called Private Mode.
Private Mode restricts connections to a list of nodes you configure at startup. The private node won't communicate with any other nodes besides those which you've defined. Furthermore, it ensures those nodes don't tell others the private node exists.
So which nodes can your private node trust? Small bakers who elect to use this protection can select nodes they feel are run by trustworthy parties and will always be available. Larger baking operations would be better served running these nodes themselves. Only then can you best ensure that your private node will always have multiple pathways (nodes) for broadcasting your baker's activity to the network while still remaining hidden.
Protect Your Infrastructure
Hiding or restricting access to critical parts of your baking operation helps prevent intrusion. There are several ways to do this, such as using a virtual private network (VPN), virtual private server (VPS), or private server. Research available options, consider your security requirements, and select the tools (or combination of tools) that is most appropriate for your baker. Organizations like OWASP are a great resource if you are serious about security.
Consider closing any ports you don't need. For ports that are necessary, use SSH port forwarding and do so on a non-standard port. Outgoing connections are fine, but limit (or refuse) any incoming connections that aren't strictly necessary.
While we strongly encourage bakers to use their own hardware, if you've decided to set up your baker in the cloud then chances are your cloud service provides paid DDoS protection. For instance, Amazon, Google, Microsoft, and Cloudflare all offer DDoS solutions. You'll still need to fully control and maintain your baker, but these added protections may fit your budget and provide additional assurance.
Utilize Backups and Redundancy
Most all of the measures we've outlined so far are designed to prevent an attack or intrusion. It's equally important to have a plan in place for when an attack occurs - especially for large bakers.
If your baker is being attacked (likely via DDoS attack), the best thing you can do is take it down and start up a baker using the same account in another location. Set this up ahead of time so you have minimum downtime. For maximum redundancy, operate more than one node in Private Mode. When you start up your new baker which has been lying in wait, connect it to your second private node so it is just as hidden as your previous baker. If you are only baking a block every once and a while this may not be be necessary, but larger bakers and delegation services should have plans in place to maximize uptime.
While this will increase your chances of having zero down time, be cautious when switching bakers not to have two using the same account online at the same time. If you do and they both bake at the same block level, you'll be penalized for double-baking. For that reason, it's best to maintain a record of the last block level your baker has baked. You can also check the network directly before starting your backup baker. You may miss a block, but that's better than being penalized!
You're not alone. There are bakers all over the world solving the same problems you are, and they likely have some crafty solutions and suggestions. Attend your local Tezos Meetup. Checkout Tezos on Telegram, Riot chat, or ask to join our Baker Chat (by emailing firstname.lastname@example.org)! Staying informed about new threats and solutions is one of the best steps you can take to bake securely.
June 28th Edit: Removed mention of DMZ.
July 28th Edit: Included link to Ledger Applications.