# CKBunker > CKBunker is open-source software for COLDCARD HSM mode: remote PSBT/message signing over Tor under a COLDCARD-enforced HSM policy. ## Key Facts - Product: CKBunker / CK Bunker / Coinkite Bunker - Publisher ecosystem: Coinkite / COLDCARD - Source code: https://github.com/Coldcard/ckbunker - Website: https://ckbunker.com/ - Category: Bitcoin hardware-wallet HSM helper - Core workflow: remote PSBT signing, Tor hidden service, HSM users, local confirmation, destination/amount/velocity policy controls - Security boundary: the COLDCARD and its approved HSM policy, not the attached host - Current caveat: COLDCARD Q does not provide HSM mode per current COLDCARD HSM docs ## Docs - [CKBunker homepage](https://ckbunker.com/): Product overview and core architecture. - [Documentation](https://ckbunker.com/docs/): Start page for setup and operation docs. - [Install](https://ckbunker.com/docs/install.html): Source install, Python/Tor requirements, and local-first run path. - [Setup](https://ckbunker.com/docs/setup.html): COLDCARD setup, Bunker setup, encrypted settings, and host-compromise assumptions. - [HSM Policy](https://ckbunker.com/docs/policy.html): Spending rules, velocity limits, whitelists, users, local confirmation, logging, and boot-to-HSM. - [PSBT Signing](https://ckbunker.com/docs/psbt.html): Daily PSBT signing and approval workflow. - [Message Signing](https://ckbunker.com/docs/message-signing.html): Text message signing under explicit derivation-path restrictions. - [Security Model](https://ckbunker.com/docs/security.html): Trust boundary, host compromise, local confirmation, and deployment advice. - [Use Cases](https://ckbunker.com/docs/use-cases.html): Small payments, geographically separated multisig, warm-wallet freeze, executive approvals, and Storage Locker. - [Contributing](https://ckbunker.com/docs/contributing.html): Source and documentation contribution pointers. - [FAQ](https://ckbunker.com/docs/faq.html): Common questions about CKBunker, HSM mode, Tor, Q support, and source code. ## Related Authoritative Sources - [COLDCARD HSM Mode and CKBunker](https://coldcard.com/docs/hsm/): Current COLDCARD HSM documentation. - [COLDCARD HSM Security Notes](https://coldcard.com/docs/hsm/security/): Security notes for HSM mode and CKBunker. - [Source repository](https://github.com/Coldcard/ckbunker): Open-source implementation. ## Additional Context - CKBunker is not a hardware wallet. COLDCARD is the hardware wallet and HSM boundary. - CKBunker does not hold seed words or private keys. It coordinates PSBT/message-signing requests and approvals. - The attached Bunker host should be considered operational infrastructure, not a trusted signer. - The HSM policy can constrain amounts, velocity windows, destination whitelists, multisig wallet names, authorizing users, local confirmation, logging, derivation-path sharing, message signing, privacy-over-UX, and boot-to-HSM behavior. - A single empty signing rule can be dangerous because it can permit broad signing. No PSBT-signing rules means no PSBT is signed. - Local confirmation codes are tied to a PSBT and COLDCARD-chosen salt to reduce remote-user race attacks. ## Legacy URLs Preserved - [Legacy install](https://ckbunker.com/install.html): Canonical content at https://ckbunker.com/docs/install.html - [Legacy setup](https://ckbunker.com/setup.html): Canonical content at https://ckbunker.com/docs/setup.html - [Legacy policy](https://ckbunker.com/policy.html): Canonical content at https://ckbunker.com/docs/policy.html - [Legacy PSBT signing](https://ckbunker.com/psbt.html): Canonical content at https://ckbunker.com/docs/psbt.html - [Legacy message signing](https://ckbunker.com/msg-signing.html): Canonical content at https://ckbunker.com/docs/message-signing.html - [Legacy examples](https://ckbunker.com/examples.html): Canonical content at https://ckbunker.com/docs/use-cases.html - [Legacy hacking](https://ckbunker.com/hacking.html): Canonical content at https://ckbunker.com/docs/contributing.html