README: add a plain-language 'what is an HSM' explainer

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-26 14:32:44 +10:00 · 2026-06-26 14:32:44 +10:00 · cebe7c178d
commit cebe7c178d
parent 2b14ab6d57
1 changed files with 6 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -3,6 +3,12 @@
 **An automated treasury tier that signs its own cold→hot refills under on-device policy — with no human
 in the loop, and no single machine able to move a satoshi.**

+> **New to the term "HSM"?** A *Hardware Security Module* is a dedicated, tamper-resistant device that holds a
+> private key and signs with it **on the device** — the key is generated inside the chip and can never be
+> extracted, even by the computer it's attached to. Banks and certificate authorities have relied on HSMs for
+> decades to keep signing keys out of reach of a compromised server. Here, each of the three signers is a
+> **Coldcard running in HSM mode**, and a spend needs two of them to independently approve it under policy.
+
 Three hardware signers (Coldcards in HSM mode), each on a separate host — ideally a separate site. A
 **keyless** coordinator builds the refill transaction and fans it to any two of the three. Each device checks
 the transaction against **its own on-device spending policy** (per-transaction cap, velocity limit, address