Provided by: opencryptoki_3.25.0+dfsg-0ubuntu1_amd64 bug

NAME
       pkcstok_migrate  -  utility  to migrate an ICA, CCA, Soft, or EP11 token repository to the FIPS compliant
       format introduced with openCryptoki 3.12.


SYNOPSIS
       pkcstok_migrate [-h]
       pkcstok_migrate --slotid slot-number --datastore datastore --confdir confdir [--sopin  sopin]  [--userpin
       userpin] [--verbose level]


DESCRIPTION
       Convert  all  objects  inside  a  token  repository  to the new format introduced with version 3.12.  All
       encrypted data inside the new format is stored using FIPS compliant methods. The new format  affects  the
       token's  master  key  files (MK_SO and MK_USER), the NVTOK.DAT, and the token object files in the TOK_OBJ
       folder.

       While using this tool no process using the  token  to  be  migrated  must  be  running.   Especially  the
       pkcsslotd must be stopped before running this tool.

       The  tool  creates a backup of the token repository to be migrated, and performs all migration actions on
       this backup, leaving the original repository folder completely untouched. The backup folder is located in
       the same directory as the original repository and is suffixed with _PKCSTOK_MIGRATE_TMP.

       After a successful migration, the original repository is renamed with a suffix of  _BAK  and  the  backup
       folder  is  renamed  to  the original repository name, so that the migrated repository can immediately be
       used. The old folder may be deleted by the user manually later.

       After a successful  migration,  the  tool  adds  parameter  'tokversion  =  3.12'  to  the  token's  slot
       configuration   in   the  opencryptoki.conf  file.  The  original  config  file  is  still  available  as
       opencryptoki.conf_BAK and may be removed by the user manually.

       After an unsuccessful migration, the original repository is still available unchanged.

       The pkcstok_migrate utility must be run as root.


OPTIONS SUMMARY
       --slotid -s SLOT-NUMBER
                 specifies the token slot number of the token repository to be migrated

       --datastore -d DATASTORE
                 specifies the directory of the token repository to be migrated.

       --confdir -c CONFDIR
                 specifies the directory where the opencryptoki.conf file is located.

       --sopin -p SOPIN
                 specifies the SO pin. If not specified, the SO pin is prompted.

       --userpin -u USERPIN
                 specifies the user pin. If not specified, the user pin is prompted.

       --verbose -v LEVEL
                 specifies the verbose level: none, error, warn, info, devel, debug

       --help -h show usage information


SEE ALSO
       pkcsconf(1),
       opencryptoki(7),
       pkcsslotd(8).

3.25.0                                              June 2020                                 PKCSTOK_MIGRATE(1)