pkcsep11_migrate(1) utility to re-encrypt EP11 token keys to prepare a

SYNOPSIS

pkcep11_migrate [-h] [-slot slot-number -adapter adapter-ID -domain domain-ID ]

DESCRIPTION

In case of a Master key change within an EP11 adapter all key objects that are wrapped with this master key must be re-wrapped or re-encrypted. The pkcsep11_migrate utility takes all EP11 token related key objects that are wrapped with the EP11 adapter master key, decrypts each key object with the current master key and encrypt it with the new master key.

Notes:
1. The new master key must be set and committed on the EP11 adapter via Trusted Key Entry console (TKE) before using this utility.
2. While using this tool no process using the EP11 token should be running.
3. Before using this tool make a back-up of the token objects in ep11tok/TOK_OBJ/.
4. After successfully execution of the migrate utility and before (re)starting
   programs using the EP11 token the new master key must be activated using the TKE.

COMMAND SUMMARY

-slot slot-number
specifies the token slot of the EP11 token
-adapter adapter-ID
specifies an EP11 adapter ID. (Refer to lszcrypt to get a list of installed crypto adapters. The adapter ID will be the number xx in 'cardxx' from the output.) This value can be provided either in hexadecimal (e.g. 0x0A) or decimal (10) notation.
-domain domain-ID
specifies the usage domain for the EP11 adapter. (see /sys/bus/ap/ap_domain.) This value can be provided either in hexadecimal (e.g. 0x0B) or decimal (11) notation.
-h
show usage information