Security model
CKBunker makes remote operation possible, but its security depends on the policy already approved on the COLDCARD. The Bunker host should not be treated as a trusted signer.
Trust boundary
| Part | Role |
|---|---|
| COLDCARD | Holds keys, stores HSM users/secrets, approves the policy, and enforces signing rules. |
| HSM policy | Defines what may be signed and which approvals are required. |
| Bunker host | Runs the web app, handles USB communication, and optionally publishes a Tor service. |
| Remote operators | Upload PSBTs, authenticate, coordinate approvals, and retrieve signed results. |
Assume the host can be captured
A compromised host may observe PSBTs, traffic, memory, and the onion-service key while running. The intended defense is that it cannot change the approved policy or sign outside the device-enforced rules.
Design choices to preserve
- Human-required start: a computer should not silently install a generous HSM policy and enter HSM mode.
- Privacy over UX: hiding policy details from the host can reduce information leakage.
- USB command limits: HSM mode blocks inappropriate USB actions such as firmware upgrade.
- Boot to HSM: reduces the pre-HSM window for deployments where a local operator has PIN access but not spending authority.
- PSBT-bound local codes: local confirmation codes should bind to the specific transaction being approved.
Race and brute-force considerations
Local confirmation codes are tied to the PSBT and a COLDCARD-chosen salt. That design matters: it prevents a remote user from asking a local operator for a code and then swapping in a different PSBT. Refusal counters and conservative limits reduce policy probing.
Deployment advice
For meaningful funds, use conservative spending limits, destination whitelists, TOTP users, microSD logging, and a physically secure host/device environment. For high-threat environments, consider EMI shielding and strict operational separation.
Firmware note: Current COLDCARD HSM documentation says HSM mode is not provided on COLDCARD Q. Verify current support for your exact device before planning a deployment.