Remote PSBT signing · Tor · COLDCARD HSM

Turn a COLDCARD into a policy-gated Bitcoin HSM.

CKBunker runs beside your COLDCARD and gives remote operators a clean web interface for PSBT signing, message signing, user authorization, and spending rules — while the COLDCARD enforces the policy.

Direct answer: CKBunker is open-source software for COLDCARD HSM mode. It lets remote users submit PSBTs over Tor, but the COLDCARD and its approved HSM policy decide what can be signed.
PSBT-firstUpload, inspect, authorize, sign.
Tor-readyExpose the Bunker as an onion service.
Policy lockedRules are approved on the COLDCARD.
CKBunker transaction signing dashboard beside a COLDCARD and server console

The Bunker interface coordinates remote approvals; the COLDCARD holds the signing authority.

What is CKBunker?

A Python application that runs on a computer attached to a COLDCARD. It starts and operates HSM mode so the device can sign allowed requests without someone pressing OK for every transaction.

  • Run a local web interface, or publish it through Tor as a hidden service.
  • Upload PSBTs and have the COLDCARD sign only when policy rules pass.
  • Create HSM users with TOTP or passwords stored on the COLDCARD.
  • Use the Storage Locker to protect Bunker settings, including onion-service keys.

Built for serious signing workflows.

CKBunker makes advanced HSM controls visible and usable without moving private keys off the COLDCARD.

PSBT transaction signing

Upload a PSBT, review what will be signed, collect approvals, then download or broadcast the signed transaction.

Spending rules

Combine amount limits, velocity limits, destination whitelists, multisig scoping, and warning behavior.

2F

User authorization

Require one or more named HSM users, with TOTP-based approvals generated and stored on the COLDCARD.

Tor hidden service

Reach the Bunker remotely without exposing a public IP address or opening inbound ports.

Local confirmation

Require a six-digit code entered by a person standing next to the COLDCARD for selected transactions.

Message signing

Authorize text-message signing under derivation-path restrictions, not just Bitcoin transactions.

The security boundary is the COLDCARD policy.

The Bunker host is operational infrastructure. The COLDCARD owns the keys, approves the policy on-device, and decides what can be signed.

Policy setup

Enable HSM USB commands locally, define users and rules, then review and approve the policy on COLDCARD.

Bunker host

Run the web application on a machine attached over USB. Serve locally or through Tor.

Remote request

Operators upload PSBTs, enter user approvals, and coordinate local confirmation codes when required.

Device enforcement

The COLDCARD signs only if the request matches the already-approved policy.

CKBunker spending-rules screen

Fine-grained controls, readable docs.

The documentation explains the original README and current HSM concepts as a real product site: what it does, how to install it, how policies work, and how to think about risk.

Install from source.

CKBunker is advanced software. Verify your COLDCARD firmware, HSM support, Python environment, and Tor setup before using it with real funds.

git clone https://github.com/Coldcard/ckbunker.git
cd ckbunker
virtualenv -p python3 ENV
source ENV/bin/activate
pip install -r requirements.txt
ckbunker --help