On the Tezos blockchain, the Bakers collect transactions and produce new blocks. In this short article, we will show you how to set up a Tezos Baker using a Ledger to securely store the baking keys. We will be straight to the point and avoid the underlying detail. We assume the following prerequisites:

  1. You have a working Debian or Ubuntu Linux machine running a Tezos Node. To set this up, please refer to my recent article.

  2. You will need at least 6001 Tezos tokens. The minimum amount you need to bake is 1 roll (6000ꜩ) and 1ꜩ is needed to cover the self-delegation fee to become a baker.

  3. You will need a Ledger device and a machine with Ledger Live (which does not have to be your baking machine). We have tested the below with a Nano S and a Nano S+.

1 - Set up the Ledger

The Ledger stores the secret key for your wallet and signs operations. By keeping your key on a hardware wallet, you are keeping it offline and away from unwanted access on the Internet.

If this is your first time using a Ledger, download Ledger Live and follow the instructions with the device to set up your passphrase. Keep this passphrase secret and locked away careful as anyone with this passphrase can access your wallet. If you will keep a lot of funds on the ledger, it is recommended to split up the passphrase and store copies of the shards in safe places such as safes or bank vaults.

Once the Ledger is set up, connect it to Ledger Live and make sure that the firmware is up to date:

Firmware update

Then install the Tezos applications. You will need the Wallet application to manage your Tezos wallet and the baking application to bake. The Wallet application requires the user to approve every operation on the Ledger. This would be impractical for baking as operations need to be signed frequently. For security reasons, the baking application is designed only to sign baking operations and is not able to sign funds transfers. You will need to switch to the Wallet application to vote in the Tezos governance process.

Note that it’s possible to use separate ledgers for the wallet application and the baking application.

Install Tezos applications

You can now add a Tezos account to the Ledger and transfer funds to the account. For example you could buy funds at an exchange like Coinbase and then send them to your Ledger account.

2 - Install the software

Octez includes the baking daemons as standard. For Ubuntu 22 or Debian 11, you can use these packages. Make sure that your system is up to date with apt update && apt upgrade then install the packages with dpkg. You will need the baker package for this article (you will have installed the client and node package in the prerequisite article). For example, for Ubuntu 22:

dpkg -i octez-ubt220-unoff-baker_15.1-3_amd64.deb

Any missing dependencies can be installed with apt install.

3 - Connect the ledger to the baking machine

Dedicate a USB slot to your ledger. It is best if you plug it into the same slot every time on your baking machine. In our previous article, we set up the system to run the Octez processes using the tezos user account. We will add some configuration to the system to set the permissions so that the tezos user can access the Ledger.

Create a file called 20-hw1.rules in the directory /etc/udev/rules.d containing the following lines:

# All ledger devices
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", GROUP="tezos", OWNER="tezos", MODE="0600"

Reload the USB Device service with systemctl reload udev. This will ensure that the Octez software can talk to the Ledger hardware by giving the user tezos access to any USB ledger hardware connected.

4 - Setting up the ledger wallet

Assume the tezos user role on the machine. Make sure that the node is running and is bootstrapped:

sudo su - tezos
octez-client bootstrapped

Plug the ledger into the baking machine and select the Tezos Baking application. Import the key reference into the machine wallet. We will call our Ledger ledger_tezos. First identify the correct key from the list on the Ledger:

octez-client list connected ledgers

This will produce output like this:

## Ledger `barry-goose-taming-terrence`
Found a Tezos Baking 2.3.2 (git-description: "218cff29") application running
on Ledger Nano S Plus at [1-7:1.0].

To use keys at BIP32 path m/44'/1729'/0'/0' (default Tezos key path), use one
  octez-client import secret key ledger_tezos "ledger://barry-goose-taming-terrence/bip25519/0h/0h"
  octez-client import secret key ledger_tezos "ledger://barry-goose-taming-terrence/ed25519/0h/0h"
  octez-client import secret key ledger_tezos "ledger://barry-goose-taming-terrence/secp256k1/0h/0h"
  octez-client import secret key ledger_tezos "ledger://barry-goose-taming-terrence/P-256/0h/0h"

Usually the ed25519 key is the correct key to use. Import the key using the following command and by following the instructions on the Ledger to accept the import.

octez-client import secret key ledger_tezos \

Then you can check that you have the right Tezos address using octez-client list known addresses. Now register the key for baking and self-delegate to declare to the blockchain that you intend to bake. For each command, follow the instructions on the Ledger to comfirm the operation.

octez-client setup ledger to bake for ledger_tezos
octez-client register key ledger_tezos as delegate

5 - Run the baker

Ensure that the baking application is still running on the Ledger. As root, enable and start the bakers using systemctl. The enable command will ensure that the baker starts on boot.

systemctl enable octez-baker.service
systemctl start octez-baker.service

The bakers will start and you can examine the log files to check for correct operation. Of course, you can also look at a Block Explorer like TzStats or TzKT.

tail -f /var/log/tezos/baker_PtLimaPt.log

More information

For more information, please see:

You do not have to use my Octez packages. Packages are available from Serokell for direct download or using other packaging systems, but please refer to the documentation provided with these if you use them.