NAME

       pkcsep11_migrate  -  utility  to  re-encrypt EP11 token keys to prepare a change of master
       keys in the EP11 adapter

SYNOPSIS

       pkcep11_migrate [-h] [-slot slot-number -adapter adapter-ID -domain domain-ID ]

DESCRIPTION

       In case of a Master key change within an EP11 adapter all key  objects  that  are  wrapped
       with  this  master  key  must be re-wrapped or re-encrypted.  The pkcsep11_migrate utility
       takes all EP11 token related key objects that are wrapped with  the  EP11  adapter  master
       key,  decrypts  each  key  object  with the current master key and encrypt it with the new
       master key.

       Notes:
       1. The new master key must be set and committed on the EP11 adapter via Trusted Key  Entry
       console (TKE) before using this utility.
       2. While using this tool no process using the EP11 token should be running.
       3. Before using this tool make a back-up of the token objects in ep11tok/TOK_OBJ/.
       4. After successfully execution of the migrate utility and before (re)starting
          programs using the EP11 token the new master key must be activated using the TKE.

COMMAND SUMMARY

       -slot slot-number
                 specifies the token slot of the EP11 token

       -adapter adapter-ID
                 specifies  an  EP11  adapter  ID.  (Refer to lszcrypt to get a list of installed
                 crypto adapters.  The adapter ID will be the number xx   in  'cardxx'  from  the
                 output.)   This  value  can  be  provided  either  in hexadecimal (e.g. 0x0A) or
                 decimal (10) notation.

       -domain domain-ID
                 specifies the usage domain for the EP11  adapter.  (see  /sys/bus/ap/ap_domain.)
                 This  value  can  be  provided either in hexadecimal (e.g. 0x0B) or decimal (11)
                 notation.

       -h        show usage information

SEE ALSO

       pkcsconf(1),
       opencryptoki(7),
       pkcsslotd(8).