xenial (1) pkcsep11_migrate.1.gz

Provided by: opencryptoki_3.4.1+dfsg-1ubuntu4.1_amd64 bug

NAME

       pkcsep11_migrate  -  utility to re-encrypt EP11 token keys to prepare a change of master keys in the EP11
       adapter

SYNOPSIS

       pkcep11_migrate [-h] [-slot slot-number -adapter adapter-ID -domain domain-ID ]

DESCRIPTION

       In case of a Master key change within an EP11 adapter all key objects that are wrapped with  this  master
       key  must  be  re-wrapped or re-encrypted.  The pkcsep11_migrate utility takes all EP11 token related key
       objects that are wrapped with the EP11 adapter master key, decrypts each  key  object  with  the  current
       master key and encrypt it with the new master key.

       Notes:
       1.  The  new master key must be set and committed on the EP11 adapter via Trusted Key Entry console (TKE)
       before using this utility.
       2. While using this tool no process using the EP11 token should be running.
       3. Before using this tool make a back-up of the token objects in ep11tok/TOK_OBJ/.
       4. After successfully execution of the migrate utility and before (re)starting
          programs using the EP11 token the new master key must be activated using the TKE.

COMMAND SUMMARY

       -slot slot-number
                 specifies the token slot of the EP11 token

       -adapter adapter-ID
                 specifies an EP11 adapter ID.  (Refer to lszcrypt to get a list of installed  crypto  adapters.
                 The adapter ID will be the number xx  in 'cardxx' from the output.)  This value can be provided
                 either in hexadecimal (e.g. 0x0A) or decimal (10) notation.

       -domain domain-ID
                 specifies the usage domain for the EP11 adapter. (see /sys/bus/ap/ap_domain.)  This  value  can
                 be provided either in hexadecimal (e.g. 0x0B) or decimal (11) notation.

       -h        show usage information

SEE ALSO

       pkcsconf(1),
       opencryptoki(7),
       pkcsslotd(8).