1PKCSTOK_MIGRATE(1) openCryptoki PKCSTOK_MIGRATE(1)
2
3
4
6 pkcstok_migrate - utility to migrate an ICA, CCA, Soft, or EP11 token
7 repository to the FIPS compliant format introduced with openCryptoki
8 3.12.
9
10
12 pkcstok_migrate [-h]
13 pkcstok_migrate --slotid slot-number --datastore datastore --confdir
14 confdir [--sopin sopin] [--userpin userpin] [--verbose level]
15
16
18 Convert all objects inside a token repository to the new format intro‐
19 duced with version 3.12. All encrypted data inside the new format is
20 stored using FIPS compliant methods. The new format affects the token's
21 master key files (MK_SO and MK_USER), the NVTOK.DAT, and the token ob‐
22 ject files in the TOK_OBJ folder.
23
24 While using this tool no process using the token to be migrated must be
25 running. Especially the pkcsslotd must be stopped before running this
26 tool.
27
28 The tool creates a backup of the token repository to be migrated, and
29 performs all migration actions on this backup, leaving the original
30 repository folder completely untouched. The backup folder is located in
31 the same directory as the original repository and is suffixed with
32 _PKCSTOK_MIGRATE_TMP.
33
34 After a successful migration, the original repository is renamed with a
35 suffix of _BAK and the backup folder is renamed to the original reposi‐
36 tory name, so that the migrated repository can immediately be used. The
37 old folder may be deleted by the user manually later.
38
39 After a successful migration, the tool adds parameter 'tokversion =
40 3.12' to the token's slot configuration in the opencryptoki.conf file.
41 The original config file is still available as opencryptoki.conf_BAK
42 and may be removed by the user manually.
43
44 After an unsuccessful migration, the original repository is still
45 available unchanged.
46
47 The pkcstok_migrate utility must be run as root.
48
49
51 --slotid -s SLOT-NUMBER
52 specifies the token slot number of the token repository to be
53 migrated
54
55 --datastore -d DATASTORE
56 specifies the directory of the token repository to be mi‐
57 grated.
58
59 --confdir -c CONFDIR
60 specifies the directory where the opencryptoki.conf file is
61 located.
62
63 --sopin -p SOPIN
64 specifies the SO pin. If not specified, the SO pin is
65 prompted.
66
67 --userpin -u USERPIN
68 specifies the user pin. If not specified, the user pin is
69 prompted.
70
71 --verbose -v LEVEL
72 specifies the verbose level: none, error, warn, info, devel,
73 debug
74
75 --help -h show usage information
76
77
79 pkcsconf(1),
80 opencryptoki(7),
81 pkcsslotd(8).
82
83
84
853.18.0 June 2020 PKCSTOK_MIGRATE(1)