HSM policy
The HSM policy is the rule set that makes CKBunker safe. The web app can ask for signatures; the COLDCARD decides whether a request matches the policy. Build the policy as if the attached computer might someday be compromised.

Rule controls
| Control | Purpose |
|---|---|
| Max amount | Limit the BTC amount a single transaction may spend. |
| Per-period amount | Rate-limit total spending over a velocity window. COLDCARD has no wall-clock time, so the period starts from policy use. |
| Destination whitelist | Allow spending only to approved addresses, such as cold-storage or sweep destinations. |
| Multisig wallet name | Scope a rule to a named multisig wallet, or to non-multisig only. |
| Authorizing users | Require one or more named HSM users to approve an operation, including M-of-N patterns. |
| Local confirmation | Require a six-digit code entered by someone at the COLDCARD location. The code is tied to the PSBT. |
Rule ordering
Multiple rules can exist. The device tests them in order and applies the first matching rule. Keep highly constrained rules first and avoid broad catch-all rules unless they are truly intended.
Important: A single empty rule can allow any transaction to be signed. No PSBT-signing rules means no PSBT will be signed.
Safe and unsafe examples
- Safer: a low daily velocity limit, a destination whitelist to one or two cold-storage addresses, required TOTP users, and local confirmation for unusual amounts.
- Riskier: a broad rule with no whitelist, no user threshold, and a high per-period amount.
- Emergency sweep: whitelist a single cold-storage destination so a warm wallet can be swept to safety without authorizing arbitrary destinations.
Users
HSM users are defined on the COLDCARD. Prefer TOTP secrets generated and shown by the COLDCARD itself. Avoid sending known passwords over the host when possible because that requires trusting the attached computer during setup.

Other policy settings
- Message signing paths: allow message signing only under selected derivation paths.
- Xpub/address sharing: scope what information the host can request.
- Logging: require or disable microSD audit logs.
- Privacy over UX: hide semi-sensitive policy/status information from the host UI.
- Boot to HSM: enter HSM mode immediately after PIN entry for locked-down deployments.
Compatibility note
The legacy CKBunker docs describe Mk3/Mk4 USB HSM workflows. Current COLDCARD HSM docs state that HSM mode is not provided on COLDCARD Q. Verify your exact model and firmware before designing a production policy.