---
title: Node Deployment Guide (Gen-2)
slug: node-deployment-gen-2
description: Step-by-step runbook for installing IC-OS on Gen-2 node hardware using a node-operator private key — the current non-HSM deployment path.
tags:
  - node-provider
  - deployment
  - ic-os
  - gen-2
  - bios
  - infrastructure
date: 2026-05-04
related:
  - node-provider-documentation
  - node-hardware-guide
  - node-deployment-gen-1
---

This runbook covers all steps necessary to install the Internet Computer
Operating System (IC-OS) on a Gen-2 node machine without an HSM.

The physical machine is expected to be racked and stacked according to
its respective manual.

To complete these steps, you are expected to be physically present in
the data center your machine(s) reside(s). Once you have successfully
onboarded your first node, you can bring up the other nodes in parallel.

If you encounter issues during any of these steps, consult
[Troubleshooting Node Deployment Errors](/wiki/node-deployment-troubleshooting/).

> [!WARNING]
> DFINITY does **not** offer live support for node providers attempting
> to deploy nodes.

> [!WARNING]
> The IC-OS installer will completely wipe the disk. Back up any
> critical data before continuing.

## 1. Choose onboarding path (HSM vs. no HSM)

If you chose the HSM node provider onboarding path, follow the
[Node Deployment Guide (Gen-1, with HSM)](/wiki/node-deployment-gen-1/)
to onboard your nodes.

If you chose to onboard **without** a Nitrokey HSM, **continue to the
next step.**

## 2. Obtain requirements

- A USB drive (3.0 speed, that can hold at least 4 GB) to put the image
  file on.
  - Faster USBs will allow the process to go much faster.
- The `node_operator_private_key.pem` for your data center (acquired
  from the node provider onboarding process, step 6 — Setup the Node
  Operator keys).
- It is recommended that each server have a label with the BMC's MAC
  address for ease of identification in future dashboard upgrades.

## 3. Download installation image

Download the latest release of the **IC-OS USB Installer Image** from
the [Internet Computer Dashboard Releases](https://dashboard.internetcomputer.org/releases).
Take a note of the version of the release.

> [!NOTE]
> You should always use a release from the last 6 weeks (newer is
> better) in order to ensure that your node can correctly connect to
> the network.

## 4. Verify checksum

Verify the **IC-OS USB Installer Image** downloaded in the previous
step using the version of the release (commit hash) from the previous
step.

### macOS / Linux

Run the reproducibility check and locally compute the checksum of the
downloaded release. Open the Terminal and type:

```shell
RELEASE_VERSION=<SET IT>
curl -fsSL https://raw.githubusercontent.com/dfinity/ic/${RELEASE_VERSION}/ci/scripts/repro-check | python3 - -c ${RELEASE_VERSION} --setupos
```

> [!NOTE]
> The reproducibility check takes around 20 minutes to run (depending
> on your hardware). At the end, it displays the locally computed
> checksum and the remote one.

Then, open the Terminal and type to obtain the checksum of the
downloaded file:

```shell
shasum -a 256 ~/Downloads/disk-img.tar.zst
```

Compare the locally computed checksum with the checksum of the
downloaded file.

> [!WARNING]
> Only continue if they are identical, otherwise please post your issue
> in the Node Provider Matrix channel.

### Windows

Run the reproducibility check and locally compute the checksum of the
downloaded release. Open PowerShell and type:

```shell
RELEASE_VERSION=<SET IT>
$RELEASE_VERSION = "<SET IT>"
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/dfinity/ic/$RELEASE_VERSION/ci/scripts/repro-check" -UseBasicParsing | ForEach-Object {
    python3 - -c $RELEASE_VERSION --setupos
}
```

> [!NOTE]
> The reproducibility check takes around 20 minutes to run (depending
> on your hardware). At the end, it displays the locally computed
> checksum and the remote one.

Then, open PowerShell and type to obtain the checksum of the downloaded
file:

```shell
Get-FileHash -Algorithm SHA256 .\Downloads\disk-img.tar.zst
```

Compare the locally computed checksum with the checksum of the
downloaded file.

> [!WARNING]
> Only continue if they are identical, otherwise please post your issue
> in the Node Provider Matrix channel.

## 5. Unarchive file

### macOS

Open the Terminal and type:

```shell
tar xzvf ~/Downloads/disk-img.tar.zst
```

### Linux / Ubuntu

Open the Terminal and type:

```shell
tar xzvf ~/Downloads/disk-img.tar.zst
```

### Windows

Open PowerShell and type:

```shell
tar xzvf .\Downloads\disk-img.tar.zst
```

## 6. Create bootable USB stick

### macOS

1. Open the Terminal and type:

   ```shell
   diskutil list
   ```

2. All available drives should be shown. Identify which device
   corresponds to your USB stick. You may need to unmount the USB drive:

   ```shell
   sudo diskutil unmount /dev/YOUR_USB_DEVICE_MOUNTED_PARTITION # E.g. /dev/disk4s1
   ```

3. Replace `/dev/YOUR_USB_DEVICE` with the device that corresponds to
   your USB stick. Additionally, replace the path to your downloaded
   IC-OS `disk.img` file.

   > [!WARNING]
   > You risk losing your own data if you specify a wrong drive.

   ```shell
   sudo dd if=/Users/YOUR_USER_NAME/Downloads/disk.img of=/dev/YOUR_USB_DEVICE bs=1M status=progress
   ```

   If you get a "device is busy" error from the `dd` command, you can
   try running the following command to unmount all of the partitions
   on the disk, then re-run the `dd` command:

   ```shell
   sudo diskutil unmountDisk /dev/YOUR_USB_DEVICE # E.g. /dev/disk4
   ```

### Linux / Ubuntu

1. Open the Terminal and type:

   ```shell
   blkid
   ```

2. All available drives should be shown. Identify which device
   corresponds to your USB stick. You may need to unmount the USB drive:

   ```shell
   sudo umount /dev/YOUR_USB_DEVICE_MOUNTED_PARTITION # E.g. /dev/sdb1
   ```

3. Replace `/dev/YOUR_USB_DEVICE` with the device that corresponds to
   your USB stick. Additionally, replace the path to your downloaded
   IC-OS `disk.img` file.

   > [!WARNING]
   > You risk losing your own data if you specify a wrong drive.

   ```shell
   sudo dd if=/home/YOUR_USER_NAME/Downloads/disk.img of=/dev/YOUR_USB_DEVICE bs=1M status=progress
   ```

### Windows

1. Download and install [Rufus Portable](https://rufus.ie/en/).
2. Start Rufus.
3. Select the USB stick under device and select the previously
   downloaded IC-OS disk image and press start.
4. You may see some warnings. Make sure you don't have any other USBs
   in your computer and choose OK.
5. The "Ready" bar will go from left to right as it completes.

## 7. Add configuration

### A. Open `config.ini` in a text editor

#### macOS

1. Open Finder. You should now be able to see the CONFIG partition. If
   it's not visible, remove the USB and insert it again.
2. Double-click `config.ini` to open it in TextEdit.

#### Linux

1. Open the File Manager. You should now be able to see the CONFIG
   partition. If it's not visible, remove the USB and insert it again.
2. Double-click `config.ini` to open it in KWrite.

#### Windows

1. Open the Disk Management utility with a right-click on the Start menu.
2. Right-click the CONFIG partition.
3. Select **Change drive letter or paths…**
4. Select any letter from the drop-down list.
5. Click OK.
6. You should now be able to see the CONFIG partition in your Windows
   Explorer. Select the `config.ini` configuration file.
7. Click on **Edit** to open it.

### B. Edit `config.ini`

Edit the `config.ini` file to add your network configuration.

> [!NOTE]
> All node providers are requested to deploy two nodes with IPv4 and a
> domain name for every data center they operate in. Node providers
> should deploy IPv4 to the **first two nodes in their first rack**.

1. Set the appropriate value for `node_reward_type`. You can find the
   value to set by following the
   [Node Deployment config.ini](/wiki/node-deployment-config-ini/)
   reference.
2. Insert your IPv6 prefix and gateway.
   - The IPv6 prefix should consist of four groups of hexadecimal
     digits, separated by colons (`:`). Each group can contain up to
     four hex digits.
   - For example, a valid prefix could look like this:
     `2a00:fb01:400:200`
   - **Important:**
     - The prefix should not have a trailing `:`.
     - IPv6 CIDR notation allows for a double colon (`::`) to represent
       consecutive groups of zeroes in an address. However, the prefix
       configuration in this context does **not** support `::`. The
       `::` shorthand should **not** be used. Even if some groups are
       all zeros, they must be explicitly written out.
3. [Optional] Insert your IPv4 info and domain name.
   - Configuring your node with IPv4 settings is optional, but if you
     do configure your node with IPv4 settings, you must also define
     the domain name for your node.
   - **Important:**
     - You **must use a unique IPv4 address for each node you deploy**.
       This means that you cannot use a single IC-OS installation image
       to deploy multiple nodes (like you are able to do when just
       configuring IPv6 nodes). After each IPv4 node deployment, you
       must plug your IC-OS installation USB stick back into your laptop
       and return to step 6 in this guide to reconfigure your
       installation image.
     - You can add, remove, or update your node's IPv4 address and
       domain name after completing node deployment using `dfx`
       commands. See
       [Updating Your Node's IPv4 and Domain Name](/wiki/updating-node-ipv4-and-domain/)
       for details.
4. [Optional] Enable Trusted Execution Environment.
   - Only if given *explicit* direction to do so, uncomment
     `enable_trusted_execution_environment=true` to enable Trusted
     Execution Environment. This feature should only be enabled on
     [Gen-2 node hardware](/wiki/node-hardware-guide/#gen-2-node-machine-requirements).
5. Save the changes.
   - If you have trouble saving this file directly, you may need to
     save to a known location first, then copy the file into place.

### C. Copy node operator private key to config partition

Copy `node_operator_private_key.pem` (created in node provider
onboarding step 6 — Setup the Node Operator keys) to the `CONFIG`
partition. This file should have the name
`node_operator_private_key.pem`, and sit next to `config.ini`, NOT
inside the `ssh_authorized_keys` folder.

## 8. Connect crash cart

1. In order to configure the UEFI and initiate the installation of the
   IC-OS, connect a crash cart to the physical machine.
2. Plug in the VGA/video, keyboard and IC-OS USB stick.

## 9. UEFI setup and boot menu

Make sure that the server date/time is set to UTC (Universal Time
Coordinated).

Use the matching UEFI configuration entry for your hardware vendor:

- [Gen-2 hardware](/wiki/node-hardware-guide/#gen-2-node-machine-requirements):
  - [IC-OS UEFI Configuration — Gen-2 Dell](/wiki/uefi-config-gen-2-dell/)
  - [IC-OS UEFI Configuration — Gen-2 Supermicro](/wiki/uefi-config-gen-2-supermicro/)
  - [IC-OS UEFI Configuration — Gen-2 Gigabyte](/wiki/uefi-config-gen-2-gigabyte/)
  - [IC-OS UEFI Configuration — Gen-2 ASUS](/wiki/uefi-config-gen-2-asus/)
- [Gen-1 hardware](/wiki/node-hardware-guide/#gen-1-node-machine-requirements):
  - [IC-OS UEFI Configuration — Gen-1 Dell (PowerEdge R6525)](/wiki/uefi-config-gen-1-dell/)
  - [IC-OS UEFI Configuration — Gen-1 Supermicro](/wiki/uefi-config-gen-1-supermicro/)

> [!WARNING]
> Do NOT enable the RAID BIOS setting. Doing so will cause issues with
> the IC-OS installation.

Resume from this point when you are finished configuring the BIOS.

## 10. IC-OS installation

1. Wait while the USB installer is booting up. This process can take
   up to 3 minutes.
2. The IC-OS installation starts. Keep an eye on the progress. This
   part can take up to 10 minutes. Remember to check
   [Troubleshooting Node Deployment Errors](/wiki/node-deployment-troubleshooting/)
   if you encounter any errors.
3. If the installation finished successfully, it will initiate a reboot.

## 11. First boot

> [!NOTE]
> Remember to check
> [Troubleshooting Node Deployment Errors](/wiki/node-deployment-troubleshooting/)
> if you encounter any errors.

1. After the IC-OS installation is complete, the machine reboots. Then,
   **IGNORE** the GRUB menu. You do NOT need to input anything. This
   menu will go away after a 15-second timeout.
2. The node will then boot up, and after a few minutes you should see
   a HostOS console log.
   - This log does **NOT yet signify a successful onboarding.** Wait at
     least 10 minutes for a `Join request successful!` log signifying
     a successful onboarding.
   - If after 10 minutes you don't see anything else logged to the
     screen, **leave your node running** and post a message in the
     Matrix channel with a screenshot of your console and the support
     request information requirements listed in
     [Troubleshooting Node Deployment Errors](/wiki/node-deployment-troubleshooting/).
3. Once you see the `Join request successful!` message, you may unplug
   the USB stick and VGA/video.

Congratulations — your machine has joined the Internet Computer, and
the node provider will start receiving rewards.

> [!NOTE]
> If you do NOT see a "Join request successful" message, your node may
> still have successfully onboarded. Continue to the next step to
> attempt to verify node onboarding.

## 12. Verify node onboarding

1. Obtain your node ID.
   - Your node ID should have been output in the previous step. If it
     wasn't, **wait at least 10 minutes to see if the node ID is logged
     to the console.**
2. Verify that your node was successfully onboarded by checking its
   status on the [dashboard](https://dashboard.internetcomputer.org/).
   - The dashboard can be searched by your node provider principal.
     There, you should see the node ID of your node.
   - If the status of your node is either "Awaiting Subnet" or "Active
     in Subnet," congratulations — your machine has joined the network.
   - If the status of your node is NOT either "Awaiting Subnet" or
     "Active in Subnet", or if it is NOT listed under your node
     provider principal, consult
     [Troubleshooting Node Deployment Errors](/wiki/node-deployment-troubleshooting/).
3. If deploying with IPv4, verify that IPv4 was successfully configured.
   - Ten minutes after the initial `Join request successful!` message,
     you should see another log indicating a successful IPv4
     deployment.
   - If your log says `IPv4: none configured`, then your IPv4
     deployment failed.

If you are failing to verify your node onboarding, consult
[Troubleshooting Node Deployment Errors](/wiki/node-deployment-troubleshooting/).

## Related

- [Node Provider Documentation](/wiki/node-provider-documentation/) — the parent index for the role.
- [Node Provider Machine Hardware Guide](/wiki/node-hardware-guide/) — the hardware specs the installer expects.
- [Node Deployment Guide (Gen-1, with HSM)](/wiki/node-deployment-gen-1/) — the legacy HSM deployment path.