Q
QuantaraQuantum-Resistant Blockchain
Devnet-0 Docs
Quantara • Devnet-0
Devnet-0 is liveView global status

QUANTARA • QUANTUM-RESISTANT L1

Key management & backups for Quantara Devnet-0

How to generate, store, back up, and rotate your Quantara keys — treating Devnet-0 as a dress rehearsal for public testnet and mainnet.

Docs • Security

Key management & backups for Quantara Devnet-0

A practical guide to mnemonics, stash / controller / session keys, and backups. The goal: never lose control of your validator or user funds because of preventable key mistakes.

Quantara uses a familiar stash / controller / session model inspired by the wider Substrate ecosystem. On Devnet-0, you're mostly practicing — but the habits you build here will carry straight into public testnet and mainnet.

This page focuses on key generation, storage, backups, and rotation. Treat it as the companion to the Security checklist, Backup & restore guide and Incident response docs.

If you are new to the model, start with a single validator on Devnet-0 and practice the full lifecycle: generate keys, register as a validator, rotate session keys once, and rehearse a recovery using your backups.

Devnet-0Key management & backupsQTR • 12 decimals • SS58=73

Losing a mnemonic on Devnet-0 is annoying. Losing one on mainnet is catastrophic. Practice doing this right while the stakes are small.

Devnet-0Non-financial rehearsal

Devnet-0 uses the same identity model as future networks: SS58=73, 12 decimals, token symbol QTR. Keys you practice with here will behave like production keys — just with test-only value.

Token / Decimals / SS58QTR / 12 / 73
WS RPCwss://rpc.devnet-0.quantara.xyz
Explorerhttps://explorer.devnet-0.quantara.xyz

Last updated: 2025-11-23 22:00 UTC. Always confirm live endpoints and key-related advisories on the Status page.

1 • Key roles

Understand stash, controller, and session keys

Before generating anything, be clear on which keys exist and what each one is allowed to do.

1.1 — Stash account

  • • Long-term vault for value (later, real QTR).
  • • Rarely used; should almost never sign transactions.
  • • Kept entirely offline where possible.
  • • On Devnet-0, treat it like a cold wallet rehearsal, even if stakes are low.

1.2 — Controller account

  • • Day-to-day account that manages staking actions.
  • • Can change session keys, bond / unbond, or chill.
  • • Lives on a more accessible but still protected device.
  • • Good candidate for a hardware wallet on mainnet.

1.3 — Session keys

  • • Live keys that your validator node uses to sign.
  • • Stored only on validator hosts (never on laptops).
  • • Rotated regularly and after suspected compromise.
  • • Derived via RPC or tooling; controlled by the controller account.

For Devnet-0, you can start with a simpler layout (no strict stash/controller separation) — but write down how you'll evolve to the full model for public testnet and mainnet.

2 • Generation

Generate mnemonics and keys with intention

Keys created in a hurry on the wrong machine are the ones you regret later. Slow down and make generation a deliberate step.

2.1 — Mnemonic generation

  • • Use trusted tools (CLI or wallet UI) on a clean device.
  • • Generate stash / controller mnemonics offline when you can.
  • • Immediately write down or store mnemonics in a manager.
  • • Verify addresses use SS58=73 before funding.

2.2 — Session key creation

  • • Generate session keys via the Quantara node or tooling.
  • • Keep key material confined to validator hosts.
  • • Record key fingerprints (public keys) in an internal doc.
  • • Practice the full registration flow using the Validator runbook.

For end-to-end wallet and faucet flows, see the Wallet & Faucet runbook.

3 • Storage & backups

Decide where secrets live — and how you’ll get them back

Good key management is mostly about boring decisions: which devices, which vault, which backup routine. Make those decisions explicit.

3.1 — Primary storage

  • • Use a reputable password manager or HSM where possible.
  • • Keep stash mnemonics on the most protected device.
  • • Avoid screenshots, unencrypted notes, or chat apps.
  • • Document which operators can access which secrets.

3.2 — Backup strategy

  • • Maintain at least two independent backup locations.
  • • Separate mnemonic backups from server configs.
  • • Encrypt backups at rest and in transit.
  • • Keep an inventory of backup locations and owners.

3.3 — Restore drills

  • • Perform a full restore simulation at least once.
  • • Verify you can reconstruct accounts from backups.
  • • Time how long a clean rebuild + key restore takes.
  • • Capture lessons and feed them into Backup & restore procedures.

4 • Rotation & lifecycle

Rotate keys before you’re forced to

Regular rotation reduces blast radius and keeps you ready for emergencies. Start with session keys and build up from there.

4.1 — Session key rotation

  • • Plan to rotate session keys on a regular cadence.
  • • Use Devnet-0 to rehearse full rotation end-to-end.
  • • Confirm new keys are active via explorer / RPC.
  • • Keep historical records of when rotations occurred.

4.2 — Controller hygiene

  • • Avoid using the controller for non-validator activity.
  • • Keep controller devices patched and locked down.
  • • Consider migrating controllers to hardware wallets.
  • • Document the process for swapping controllers safely.

4.3 — Stash evolution

  • • For Devnet-0, keep stash small and test-focused.
  • • Design where production stashes will live (HSM, HW).
  • • Decide who can authorize stash-level actions.
  • • Treat stash mnemonics as the most sensitive secret.

5 • Compromise

What to do if you suspect key compromise

Assume that one day, a key will be exposed or a device will fail. Decide now how you’ll respond when that happens.

5.1 — Suspected compromise

  • • Treat suspicious device behavior as a real signal.
  • • Capture logs and timeline for later analysis.
  • • Move quickly to rotate session keys and controllers.
  • • Coordinate with Quantara via /status + validator channels if validators are impacted.

5.2 — Confirmed compromise

  • • Immediately rotate affected keys and revoke access.
  • • Rebuild compromised machines from clean images.
  • • Review backups for contamination and reset passwords.
  • • Log the incident using the Postmortem template and update internal SOPs.

Use Devnet-0 to practice these flows so that, on mainnet, your response is calm and rehearsed rather than improvised.

Next steps

Turn key management into muscle memory

If you can generate, back up, rotate, and recover keys without stress on Devnet-0, you’re ready for the next stages of Quantara.

Keep this page close to the Security checklist, Backup & restore guide and Validator runbook. Together they define the operational backbone of a healthy Quantara validator.

The operators we want on public testnet and mainnet are the ones who treat key management as a discipline, not an afterthought. If that's you, Devnet-0 is your training ground.