Validators on Subnet 42 run in a secure TEE (Trusted Execution Environment) enclave to validate and verify data from miners. This ensures secure and tamper-proof validation of network data through hardware-level security.

Hardware Prerequisites

Required Hardware

🔒 Intel SGX Support

  • Intel SGX 2.0+ enabled CPU required
  • Hardware-level security enclave
  • Secure computation environment

💻 Compatible Processors

  • 11th Gen+ Intel Core series
  • Modern Intel Xeon processors
  • Must have SGX feature enabled in BIOS

Verify your CPU supports Intel SGX 2.0 or higher before setting up mining operations. The SGX feature must also be enabled in your system BIOS.

Network Requirements

🌐 Port Configuration

  • Port 8080 must be open and accessible
  • Optional port 8092 for validator exposure
  • Configure firewall rules accordingly

Ensure port 8080 is open on your firewall and accessible from the internet. This is critical for validator operations and communication with the network. Port 8092 is optional and only needed if you want to expose your validator.

Cloud Provider Recommendations

For optimal TEE mining performance and reliability, we recommend using Microsoft Azure. This provider has been extensively tested and validated by our team to ensure seamless compatibility with Masa Network’s TEE mining requirements:

Microsoft Azure

✓ Offers SGX-enabled virtual machines
✓ Proven reliability for TEE workloads
✓ Validated for Masa Network mining
✓ Our recommended provider

System Setup & Configuration

Prerequisites

Before starting TEE mining operations, ensure you have:

Docker Setup

✓ Docker installed and running
✓ Permissions to run containers

Network Keys

✓ BTCLI to installation to manage your wallet
✓ Generate coldkey and hotkey mnemonics and register your validator

Keep your coldkey and hotkey mnemonics secure and backed up. These are required for mining operations and cannot be recovered if lost.

Optional: Delegate with Child Key

If you’re running a validator, you can optionally delegate using a child hotkey for enhanced security. This allows you to:

  • Keep your cold key secure
  • Isolate operational risk
  • Manage multiple delegations
  • Set custom take rates (up to 18% of rewards)

The Masa validator charges 0% take rate - you keep 100% of your rewards when delegating to us! See our Validator Child Key Delegation Guide for detailed instructions on secure delegation with child hotkeys. The take rate is subject to change in the near future.

Subnet 42 TEE worker setup

To begin mining on Subnet 42, follow these steps to set up your TEE worker:

1

Clone Repository

First, clone the Subnet 42 repository which contains the TEE mining software:

git clone https://github.com/masa-finance/subnet-42.git
2

Navigate to Directory

Change into the repository directory:

cd subnet-42
3

Copy Environment File

Create your environment configuration file:

cp .env.example .env
4

Edit Environment File

Configure your .env file by updating the following fields:

  1. Your coldkey mnemonic from wallet creation
  2. Your hotkey mnemonic from wallet creation
  3. Your role (miner or validator)
  4. Your machine’s public IP address and port 8080
  5. Network UID (165 for testnet, 42 for mainnet)
  6. Network name (test or finney) finney is for mainnet.
  7. Telemetry Result Worker Address (This is the address of the telemetry result worker)
# Your coldkey mnemonic
COLDKEY_MNEMONIC="your coldkey mnemonic here"

# Your hotkey mnemonic (Will be used to register your validator on subnet 165)
HOTKEY_MNEMONIC="your hotkey mnemonic here"

# Role Configuration
# Node role (validator)
ROLE=validator

# Your IP address
MINER_TEE_ADDRESS=https://<your-ip-address>:8080

# Network Configuration
# Network UID (165 for testnet, 42 for mainnet)
NETUID=165

# Network name (test or finney) finney is for mainnet.
SUBTENSOR_NETWORK=test

# Telemetry Result Worker Address (This is the address of the telemetry result worker) 
TELEMETRY_RESULT_WORKER_ADDRESS=https://<your-ip-address>:8080

The .env file comes pre-configured for the Subnet 165 testnet environment. No additional network configuration is needed.

5

Start Your Node

Start your node with Docker Compose based on your configured role:

For validators:

docker compose --profile validator-tee up -d

This will:

  • Launch the required containers for your node type
  • Initialize your validator node
  • Connect to the subnet network
6

Verify TEE Worker

Once your node is running, verify the TEE worker is accessible by visiting your configured address in a browser:

https://<your-ip-address>:8080

You should see a response indicating the TEE worker is running. If you get a connection error:

  • Verify your IP address is correct in the .env file
  • Check that port 8080 is open in your firewall
  • Ensure the TEE worker container is running properly

The browser may show a security warning due to the self-signed certificate. This is expected and you can proceed to verify the endpoint is responding.

7

Monitor Logs

Monitor your validator’s logs to ensure everything is running properly:

To see TEE worker logs:

docker logs subnet-42-tee-worker-1

To see your validator’s logs:

docker logs subnet-42-subnet42-1

Watch for:

  • Successful network connections
  • Mining activity
  • Any potential errors or warnings

It may take a few minutes for your validator to fully sync with the network and begin mining operations.

Upgrading your validator

1

Stop current validator

Stop your current miner:

docker compose -p <container-name> down
2

Update code

Pull the latest changes from the repository:

git pull origin
3

Start new version

Start the new version:

docker compose --profile validator-tee up -d

Frequently Asked Questions

⚙️ Setup & Configuration