diff --git a/.github/workflows/security-reusable.yml b/.github/workflows/security-reusable.yml
index c3a7592..d87c773 100644
--- a/.github/workflows/security-reusable.yml
+++ b/.github/workflows/security-reusable.yml
@@ -10,6 +10,9 @@ jobs:
   security:
     name: Security Audit
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
diff --git a/Cargo.lock b/Cargo.lock
index 6e74dbb..d0edb47 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -169,12 +169,6 @@ version = "0.22.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 
-[[package]]
-name = "bitflags"
-version = "1.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
-
 [[package]]
 name = "bitflags"
 version = "2.10.0"
@@ -352,11 +346,11 @@ dependencies = [
 
 [[package]]
 name = "cryptoki"
-version = "0.10.0"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "781357a7779a8e92ea985121bbf379a9adf0777f44ab6392efc6abd5aa9b67db"
+checksum = "1988310baf84fc66da11d876b3c01d268cdc416b330158790318507f739bb72f"
 dependencies = [
- "bitflags 1.3.2",
+ "bitflags",
  "cryptoki-sys",
  "libloading",
  "log",
@@ -366,9 +360,9 @@ dependencies = [
 
 [[package]]
 name = "cryptoki-sys"
-version = "0.4.0"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "753e27d860277930ae9f394c119c8c70303236aab0ffab1d51f3d207dbb2bc4b"
+checksum = "f1fd850498411e4057f1cba79e6e2bc7cbe960544c1046ab46d4685c403a1121"
 dependencies = [
  "libloading",
 ]
@@ -944,7 +938,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df15f6eac291ed1cf25865b1ee60399f57e7c227e7f51bdbd4c5270396a9ed50"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
  "libc",
  "redox_syscall 0.6.0",
 ]
@@ -1221,7 +1215,7 @@ version = "0.5.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
 ]
 
 [[package]]
@@ -1230,7 +1224,7 @@ version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ec96166dafa0886eb81fe1c0a388bece180fbef2135f97c1e2cf8302e74b43b5"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
 ]
 
 [[package]]
@@ -1361,7 +1355,7 @@ version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cd15f8a2c5551a84d56efdc1cd049089e409ac19a3072d5037a17fd70719ff3e"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
  "errno",
  "libc",
  "linux-raw-sys",
@@ -1447,9 +1441,9 @@ checksum = "490dcfcbfef26be6800d11870ff2df8774fa6e86d047e3e8c8a76b25655e41ca"
 
 [[package]]
 name = "secrecy"
-version = "0.8.0"
+version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9bd1c54ea06cfd2f6b63219704de0b9b4f72dcc2b8fdef820be6cd799780e91e"
+checksum = "e891af845473308773346dc847b2c23ee78fe442e0472ac50e22a18a93d3ae5a"
 dependencies = [
  "zeroize",
 ]
@@ -1862,7 +1856,7 @@ version = "0.6.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
  "bytes",
  "futures-util",
  "http",
diff --git a/Cargo.toml b/Cargo.toml
index d44d2e6..e6dcf98 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -52,7 +52,7 @@ base64 = "0.22"
 sha2 = "0.10"
 blake3 = "1.5"
 chrono = { version = "0.4", features = ["serde"] }
-cryptoki = "0.10"
+cryptoki = "0.11"
 rpassword = "7.3"
 
 [dev-dependencies]
diff --git a/YUBIKEY_TESTING.md b/docs/yubikey_testing.md
similarity index 100%
rename from YUBIKEY_TESTING.md
rename to docs/yubikey_testing.md
diff --git a/src/utils/pkcs11_devices.rs b/src/utils/pkcs11_devices.rs
index 7b8b551..7351de3 100644
--- a/src/utils/pkcs11_devices.rs
+++ b/src/utils/pkcs11_devices.rs
@@ -3,7 +3,7 @@
 //! Provides unified support for TPM, YubiKey, HSMs, and other PKCS#11-compatible devices.
 
 use anyhow::{Context, Result};
-use cryptoki::context::{CInitializeArgs, Pkcs11};
+use cryptoki::context::{CInitializeArgs, CInitializeFlags, Pkcs11};
 use cryptoki::mechanism::Mechanism;
 use cryptoki::object::{Attribute, AttributeType, ObjectClass, ObjectHandle};
 use cryptoki::session::{Session, UserType};
@@ -662,7 +662,7 @@ pub fn init_pkcs11_session(
     let pkcs11 = Pkcs11::new(module_path).context("Failed to load PKCS#11 module")?;
 
     pkcs11
-        .initialize(CInitializeArgs::OsThreads)
+        .initialize(CInitializeArgs::new(CInitializeFlags::OS_LOCKING_OK))
         .context("Failed to initialize PKCS#11")?;
 
     // Find token
@@ -675,7 +675,7 @@ pub fn init_pkcs11_session(
 
     // Login - auth should contain the PIN already
     if !auth.is_empty() {
-        let auth_pin = AuthPin::new(auth.to_string());
+        let auth_pin = AuthPin::new(auth.to_string().into());
         session
             .login(UserType::User, Some(&auth_pin))
             .context("Failed to login to PKCS#11 device")?;
@@ -705,7 +705,7 @@ pub fn delete_pkcs11_key(uri: &str) -> Result<()> {
     let pkcs11 = Pkcs11::new(module_path).context("Failed to load PKCS#11 module")?;
 
     pkcs11
-        .initialize(CInitializeArgs::OsThreads)
+        .initialize(CInitializeArgs::new(CInitializeFlags::OS_LOCKING_OK))
         .context("Failed to initialize PKCS#11")?;
 
     // Find the token
@@ -719,7 +719,7 @@ pub fn delete_pkcs11_key(uri: &str) -> Result<()> {
     // For deletion, we need to login with PIN
     let pin_str = rpassword::prompt_password("Enter PIN to delete hardware key: ")
         .context("Failed to read PIN")?;
-    let auth_pin = AuthPin::new(pin_str.clone());
+    let auth_pin = AuthPin::new(pin_str.clone().into());
 
     session
         .login(UserType::User, Some(&auth_pin))
@@ -808,7 +808,7 @@ pub fn sign_with_pkcs11_device(
     if requires_auth {
         // Key requires per-operation authentication (common with YubiKey)
         // Use the provided PIN for context-specific login
-        let auth_pin = AuthPin::new(pin.to_string());
+        let auth_pin = AuthPin::new(pin.to_string().into());
 
         // Context-specific login for this operation
         session
diff --git a/tests/pkcs11_integration_test.rs b/tests/pkcs11_integration_test.rs
index 0cc16cf..301134c 100644
--- a/tests/pkcs11_integration_test.rs
+++ b/tests/pkcs11_integration_test.rs
@@ -252,7 +252,7 @@ fn test_tpm_connection() {
     let _tpm = SwtpmInstance::new().expect("Failed to start TPM simulator");
 
     use avocado_cli::utils::pkcs11_devices::{get_pkcs11_module_path, DeviceType};
-    use cryptoki::context::{CInitializeArgs, Pkcs11};
+    use cryptoki::context::{CInitializeArgs, CInitializeFlags, Pkcs11};
 
     let module_path =
         get_pkcs11_module_path(&DeviceType::Tpm).expect("Failed to find PKCS#11 module path");
@@ -262,7 +262,7 @@ fn test_tpm_connection() {
     let pkcs11 = Pkcs11::new(module_path).expect("Failed to load PKCS#11 module");
 
     pkcs11
-        .initialize(CInitializeArgs::OsThreads)
+        .initialize(CInitializeArgs::new(CInitializeFlags::OS_LOCKING_OK))
         .expect("Failed to initialize PKCS#11");
 
     let slots = pkcs11