Security model

Last updated: 2026-07-07 · Source-backed CKBunker/COLDCARD documentation.

Direct answer: Understand the CKBunker security boundary: COLDCARD policy enforcement, host compromise assumptions, Tor, local confirmation, and boot-to-HSM.

CKBunker makes remote operation possible, but its security depends on the policy already approved on the COLDCARD. The Bunker host should not be treated as a trusted signer.

Trust boundary

PartRole
COLDCARDHolds keys, stores HSM users/secrets, approves the policy, and enforces signing rules.
HSM policyDefines what may be signed and which approvals are required.
Bunker hostRuns the web app, handles USB communication, and optionally publishes a Tor service.
Remote operatorsUpload PSBTs, authenticate, coordinate approvals, and retrieve signed results.

Assume the host can be captured

A compromised host may observe PSBTs, traffic, memory, and the onion-service key while running. The intended defense is that it cannot change the approved policy or sign outside the device-enforced rules.

Design choices to preserve

Race and brute-force considerations

Local confirmation codes are tied to the PSBT and a COLDCARD-chosen salt. That design matters: it prevents a remote user from asking a local operator for a code and then swapping in a different PSBT. Refusal counters and conservative limits reduce policy probing.

Deployment advice

For meaningful funds, use conservative spending limits, destination whitelists, TOTP users, microSD logging, and a physically secure host/device environment. For high-threat environments, consider EMI shielding and strict operational separation.

Firmware note: Current COLDCARD HSM documentation says HSM mode is not provided on COLDCARD Q. Verify current support for your exact device before planning a deployment.