Migrating to FIPS compliance using the pkcstok_migrate tool

Use the pkcstok_migrate tool to transform an EP11 token, a CCA token, an ICA token, or a Soft Token into a data format that was generated by FIPS compliant operations. You can use this tool to migrate tokens created with all versions of openCryptoki, because also for version 3.12 or later, the old non-compliant format is the default. Being FIPS compliant, the token data is stored in a format that is better protected against attacks than the previously used data format.

For further information, read the pkcstok_migrate man page.

Parameters


# pkcstok_migrate -h

Help:         pkcstok_migrate -h
-h, --help    Show this help

Options:

-s, --slotid SLOTID            PKCS slot number (required)
-d, --datastore DATASTORE      token datastore location (required)
-c, --confdir CONFDIR          location of opencryptoki.conf (required)
-u, --userpin USERPIN          token user pin (prompted if not specified)
-p, --sopin SOPIN              token SO pin (prompted if not specified)
-v, --verbose LEVEL            set verbose level (optional):
none (default), error, warn, info, devel, debug

Functionality

The utility:

  • directly accesses the token objects via file operations;
  • assumes that no other action is currently running. It checks if the slot manager pkcsslotd is running and asks the user to end it if yes.

Before making any changes to the repository, a temporary copy is created. Migration takes place on this copy. The copied folder is suffixed with _PKCSTOK_MIGRATE_TMP. If the migration fails, the old repository is still available.

Running a migration again, would remove any remaining backups from previous runs, create a new backup, and then do the migration.

  • After successfully migrating all token objects, the original repository folder is renamed by appending the suffix _BAK, and the new repository folder gets the name of the original one.
  • Also, the opencryptoki.conf file is updated by inserting (or updating) the tokversion parameter in the token’s slot configuration. The old configuration file is still available with the same suffix _BAK.

This makes the new repository immediately usable after restarting the pkcsslotd daemon, but also allows the user to switch back manually to the old token format.