Setup of Your CKBunker

Step 1 is to install the bunker code and get it running.

Once it’s running, use any ordinary browser to connect to:


At this point, you should be focused on the two tabs “Coldcard Setup” and “Bunker Setup” tabs.

Coldcard Setup tab

Coldcard Setup screen shot

“Coldcard Setup” is devoted to creating an HSM spending policy. These settings are held in a JSON file to be uploaded and confirmed on the Coldcard.

Typically the Bunker will send the file to the Coldcard when you press “Save & Start Policy” but you have the option of downloading the file, and/or importing the JSON file before that point. This is useful if you want to hand-edit the data, or keep a backup/restore a backup. When you send the file to the Coldcard, your browser will download a copy of the file, if the checkbox “Download (sanitized) copy” is set. This version of the policy file will have the following sensitive fields stripped out:

Continue reading here for details about HSM rules and policy.

Using Coldcard Setup without a Coldcard

By using the “Download Policy” button you can use the pretty web interface to build your policy file without using any other part of the CKBunker. In fact a Coldcard does not need to be connected.

One limitation of this mode is the Users section. It communicates directly with the Coldcard to read the list of users and add/remove them. If you are using those features, you may need to edit the JSON. The same is true for the names of your multisig wallets.

If you use the Bunker to upload your policy, the allow_sl and set_sl fields will be overriden by the Bunker and replaced. You can use ckcc hsm-start file.json to upload the JSON policy file, and start HSM mode on the command line.

Bunker Setup tab

Bunker Setup screen shot

There are only a few settings for the Bunker itself:

Login Screen

For your reference, the login screen presented to visitors looks like this with the animated captcha.

login screen

How Bunker Settings are Saved

In our security model, we assume the CKBunker may be “captured” by your adversaries. The CKBunker is not the last line of defense—that’s the Coldcard and your HSM policy.

If the Bunker is captured while it is turned on and running, then in the worst case, the attackers can read all of main memory, and will get the Tor Hidden service private key. This will allow them to impersonate your Bunker in the future. Presumably they can view your PSBT file and all other web interactions while you work with the Bunker.

However, they cannot change the HSM policy of the Coldcard. They do not know the TOTP/2FA secrets, and cannot generate OTP codes (only the Coldcard knows those) and so they cannot authorize spending that way and impersonate users. If the attackers are remote, relative to the location of the Coldcard, the “local confirmation code” feature will also protect you, since the attackers would need to convince your remote hands to enter a specific code.

When the data associated with the Bunker is “at rest”, meaning the system is not running, we have good protections in place. All Bunker settings are saved to ./data directory, as encrypted files. The name of the file is a hash of the private key, and the contents are a NaCl secret box (Curve25519). We store the private key for that file on the Coldcard itself, in the storage locker.

When the Bunker starts, it searchs for a Coldcard on USB (and it also looks for the simulator). If it finds one already in HSM mode, then it reads the storage locker and uses the NaCl private key (32 bytes) to select and open the corresponding Bunker settings file. Therefore, each Coldcard has it’s own settings for the Bunker.

In setup mode, bunker settings are effectively not saved until the NaCL secret is saved into the policy of a Coldcard and saved there.

Other Notes

Next Steps

HSM policy setup