Provided by: opencryptoki_3.20.0+dfsg-0ubuntu1_amd64 bug

NAME

       pkcstok_migrate  -  utility  to migrate an ICA, CCA, Soft, or EP11 token repository to the
       FIPS compliant format introduced with openCryptoki 3.12.

SYNOPSIS

       pkcstok_migrate [-h]
       pkcstok_migrate --slotid slot-number  --datastore  datastore  --confdir  confdir  [--sopin
       sopin] [--userpin userpin] [--verbose level]

DESCRIPTION

       Convert  all  objects  inside a token repository to the new format introduced with version
       3.12.  All encrypted data inside the new format is stored using  FIPS  compliant  methods.
       The  new  format  affects the token's master key files (MK_SO and MK_USER), the NVTOK.DAT,
       and the token object files in the TOK_OBJ folder.

       While using this tool no  process  using  the  token  to  be  migrated  must  be  running.
       Especially the pkcsslotd must be stopped before running this tool.

       The  tool  creates  a  backup  of  the  token  repository to be migrated, and performs all
       migration actions on this  backup,  leaving  the  original  repository  folder  completely
       untouched.  The  backup folder is located in the same directory as the original repository
       and is suffixed with _PKCSTOK_MIGRATE_TMP.

       After a successful migration, the original repository is renamed with a suffix of _BAK and
       the  backup  folder  is  renamed  to  the  original  repository name, so that the migrated
       repository can immediately be used. The old folder may be deleted  by  the  user  manually
       later.

       After  a  successful migration, the tool adds parameter 'tokversion = 3.12' to the token's
       slot configuration in the opencryptoki.conf  file.  The  original  config  file  is  still
       available as opencryptoki.conf_BAK and may be removed by the user manually.

       After an unsuccessful migration, the original repository is still available unchanged.

       The pkcstok_migrate utility must be run as root.

OPTIONS SUMMARY

       --slotid -s SLOT-NUMBER
                 specifies the token slot number of the token repository to be migrated

       --datastore -d DATASTORE
                 specifies the directory of the token repository to be migrated.

       --confdir -c CONFDIR
                 specifies the directory where the opencryptoki.conf file is located.

       --sopin -p SOPIN
                 specifies the SO pin. If not specified, the SO pin is prompted.

       --userpin -u USERPIN
                 specifies the user pin. If not specified, the user pin is prompted.

       --verbose -v LEVEL
                 specifies the verbose level: none, error, warn, info, devel, debug

       --help -h show usage information

SEE ALSO

       pkcsconf(1),
       opencryptoki(7),
       pkcsslotd(8).