KMTool is a graphical user interface (GUI)-based tool that has three sections. It uses a sequence of steps to migrate the EDK from the source appliance to the target appliance, as indicated below:
- In section 1 of the tool (Validate Credentials), the three Key Custodians must first authenticate to the source appliance
- In section 1 of the tool (Validate Credentials), the Domain Administrator must then authenticate him/herself to the appliance and identify the Domain ID of the EDK being migrated
- In section 2 (Migrate a key from this appliance), the MASK of the target appliance is identified for migration and the key is migrated. The tool writes out a migrating-key XML file, containing the encrypted EDK in it
- On the target appliance, the KCs and the DA must authenticate to the TPM using their credentials in section 1 of the KMTool
- Finally, in section 3 of the tool (Import a migrating key to this appliance), the DA imports the encrypted EDK to the target appliance. This concludes the key migration process