Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
PKCSTOK_MIGRATE(1)		 openCryptoki		    PKCSTOK_MIGRATE(1)

NAME
       pkcstok_migrate	-  utility to migrate an ICA, CCA, Soft, or EP11 token
       repository to the FIPS compliant	format	introduced  with  openCryptoki
       3.12.

SYNOPSIS
       pkcstok_migrate [-h]
       pkcstok_migrate	--slotid  slot-number  --datastore datastore --confdir
       confdir [--sopin	sopin] [--userpin userpin] [--verbose level]

DESCRIPTION
       Convert all objects inside a token repository to	the new	format	intro-
       duced  with  version 3.12.  All encrypted data inside the new format is
       stored using FIPS compliant methods. The	new format affects the token's
       master key files	(MK_SO and MK_USER), the NVTOK.DAT, and	the token  ob-
       ject files in the TOK_OBJ folder.

       While using this	tool no	process	using the token	to be migrated must be
       running.	  Especially the pkcsslotd must	be stopped before running this
       tool.

       The tool	creates	a backup of the	token repository to be	migrated,  and
       performs	 all  migration	 actions  on this backup, leaving the original
       repository folder completely untouched. The backup folder is located in
       the same	directory as the original  repository  and  is	suffixed  with
       _PKCSTOK_MIGRATE_TMP.

       After a successful migration, the original repository is	renamed	with a
       suffix of _BAK and the backup folder is renamed to the original reposi-
       tory name, so that the migrated repository can immediately be used. The
       old folder may be deleted by the	user manually later.

       After  a	 successful  migration,	 the tool adds parameter 'tokversion =
       3.12' to	the token's slot configuration in the opencryptoki.conf	 file.
       The  original  config  file is still available as opencryptoki.conf_BAK
       and may be removed by the user manually.

       After an	unsuccessful  migration,  the  original	 repository  is	 still
       available unchanged.

       The pkcstok_migrate utility must	be run as root.

OPTIONS	SUMMARY
       --slotid	-s SLOT-NUMBER
		 specifies the token slot number of the	token repository to be
		 migrated

       --datastore -d DATASTORE
		 specifies  the	 directory  of	the token repository to	be mi-
		 grated.

       --confdir -c CONFDIR
		 specifies the directory where the opencryptoki.conf  file  is
		 located.

       --sopin -p SOPIN
		 specifies  the	 SO  pin.  If  not  specified,	the  SO	pin is
		 prompted.

       --userpin -u USERPIN
		 specifies the user pin. If not	specified,  the	 user  pin  is
		 prompted.

       --verbose -v LEVEL
		 specifies  the	verbose	level: none, error, warn, info,	devel,
		 debug

       --help -h show usage information

SEE ALSO
       pkcsconf(1),
       opencryptoki(7),
       pkcsslotd(8).

3.19.0				   June	2020		    PKCSTOK_MIGRATE(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=pkcstok_migrate&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help