pkcstok_migrate - Man Page

utility to migrate an ICA, CCA, Soft, or EP11 token repository to the FIPS compliant format introduced with openCryptoki 3.12.

Synopsis

pkcstok_migrate [-h]
pkcstok_migrate --slotid slot-number --datastore datastore --confdir confdir [--sopin sopin] [--userpin userpin] [--verbose level]

Description

Convert all objects inside a token repository to the new format introduced with version 3.12.  All encrypted data inside the new format is stored using FIPS compliant methods. The new format affects the token's master key files (MK_SO and MK_USER), the NVTOK.DAT, and the token object files in the TOK_OBJ folder.

While using this tool no process using the token to be migrated must be running. Especially the pkcsslotd must be stopped before running this tool.

The tool creates a backup of the token repository to be migrated, and performs all migration actions on this backup, leaving the original repository folder completely untouched. The backup folder is located in the same directory as the original repository and is suffixed with _PKCSTOK_MIGRATE_TMP.

After a successful migration, the original repository is renamed with a suffix of _BAK and the backup folder is renamed to the original repository name, so that the migrated repository can immediately be used. The old folder may be deleted by the user manually later.

After a successful migration, the tool adds parameter 'tokversion = 3.12' to the token's slot configuration in the opencryptoki.conf file. The original config file is still available as opencryptoki.conf_BAK and may be removed by the user manually.

After an unsuccessful migration, the original repository is still available unchanged.

The pkcstok_migrate utility must be run as root.

Options Summary

--slotid -s SLOT-NUMBER

specifies the token slot number of the token repository to be migrated

--datastore -d DATASTORE

specifies the directory of the token repository to be migrated.

--confdir -c CONFDIR

specifies the directory where the opencryptoki.conf file is located.

--sopin -p SOPIN

specifies the SO pin. If not specified, the SO pin is prompted.

--userpin -u USERPIN

specifies the user pin. If not specified, the user pin is prompted.

--verbose -v LEVEL

specifies the verbose level: none, error, warn, info, devel, debug

--help -h

show usage information

See Also

pkcsconf(1),

opencryptoki(7),

pkcsslotd(8).

Referenced By

policy.conf(5).

June 2020 3.23 openCryptoki