1PKCSTOK_MIGRATE(1)               openCryptoki               PKCSTOK_MIGRATE(1)
2
3
4

NAME

6       pkcstok_migrate  -  utility to migrate an ICA, CCA, Soft, or EP11 token
7       repository to the FIPS compliant format  introduced  with  openCryptoki
8       3.12.
9
10

SYNOPSIS

12       pkcstok_migrate [-h]
13       pkcstok_migrate  --slotid  slot-number  --datastore datastore --confdir
14       confdir [--sopin sopin] [--userpin userpin] [--verbose level]
15
16

DESCRIPTION

18       Convert all objects inside a token repository to the new format  intro‐
19       duced  with  version 3.12.  All encrypted data inside the new format is
20       stored using FIPS compliant methods. The new format affects the token's
21       master  key files (MK_SO and MK_USER), the NVTOK.DAT, and the token ob‐
22       ject files in the TOK_OBJ folder.
23
24       While using this tool no process using the token to be migrated must be
25       running.   Especially the pkcsslotd must be stopped before running this
26       tool.
27
28       The tool creates a backup of the token repository to be  migrated,  and
29       performs  all  migration  actions  on this backup, leaving the original
30       repository folder completely untouched. The backup folder is located in
31       the  same  directory  as  the  original repository and is suffixed with
32       _PKCSTOK_MIGRATE_TMP.
33
34       After a successful migration, the original repository is renamed with a
35       suffix of _BAK and the backup folder is renamed to the original reposi‐
36       tory name, so that the migrated repository can immediately be used. The
37       old folder may be deleted by the user manually later.
38
39       After  a  successful  migration,  the tool adds parameter 'tokversion =
40       3.12' to the token's slot configuration in the opencryptoki.conf  file.
41       The  original  config  file is still available as opencryptoki.conf_BAK
42       and may be removed by the user manually.
43
44       After an unsuccessful  migration,  the  original  repository  is  still
45       available unchanged.
46
47       The pkcstok_migrate utility must be run as root.
48
49

OPTIONS SUMMARY

51       --slotid -s SLOT-NUMBER
52                 specifies the token slot number of the token repository to be
53                 migrated
54
55       --datastore -d DATASTORE
56                 specifies the directory of the token  repository  to  be  mi‐
57                 grated.
58
59       --confdir -c CONFDIR
60                 specifies  the  directory where the opencryptoki.conf file is
61                 located.
62
63       --sopin -p SOPIN
64                 specifies the SO  pin.  If  not  specified,  the  SO  pin  is
65                 prompted.
66
67       --userpin -u USERPIN
68                 specifies  the  user  pin.  If not specified, the user pin is
69                 prompted.
70
71       --verbose -v LEVEL
72                 specifies the verbose level: none, error, warn, info,  devel,
73                 debug
74
75       --help -h show usage information
76
77

SEE ALSO

79       pkcsconf(1),
80       opencryptoki(7),
81       pkcsslotd(8).
82
83
84
853.21.0                             June 2020                PKCSTOK_MIGRATE(1)
Impressum