1 .\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
2 .\" Written by David Howells (dhowells@redhat.com)
3 .\" and Copyright (C) 2016 Michael Kerrisk <mtk.man-pages@gmail.com>
5 .\" SPDX-License-Identifier: GPL-2.0-or-later
7 .TH add_key 2 (date) "Linux man-pages (unreleased)"
9 add_key \- add a key to the kernel's key management facility
12 .RI ( libc ", " \-lc )
15 .B #include <keyutils.h>
17 .BI "key_serial_t add_key(const char *" type ", const char *" description ,
18 .BI " const void *" payload ", size_t " plen ,
19 .BI " key_serial_t " keyring ");"
23 There is no glibc wrapper for this system call; see NOTES.
26 creates or updates a key of the given
30 instantiates it with the
34 attaches it to the nominated
36 and returns the key's serial number.
38 The key may be rejected if the provided data is in the wrong format or
39 it is invalid in some other way.
43 already contains a key that matches the specified
47 then, if the key type supports it,
48 .\" FIXME The aforementioned phrases begs the question:
49 .\" which key types support this?
50 that key will be updated rather than a new key being created;
51 if not, a new key (with a different ID) will be created
52 and it will displace the link to the extant key from the keyring.
53 .\" FIXME Perhaps elaborate the implications here? Namely, the new
54 .\" key will have a new ID, and if the old key was a keyring that
55 .\" is consequently unlinked, then keys that it was anchoring
56 .\" will have their reference count decreased by one (and may
57 .\" consequently be garbage collected). Is this all correct?
61 serial number may be that of a valid keyring for which the caller has
64 Alternatively, it may be one of the following special keyring IDs:
65 .\" FIXME . Perhaps have a separate page describing special keyring IDs?
67 .B KEY_SPEC_THREAD_KEYRING
68 This specifies the caller's thread-specific keyring
69 .RB ( thread\-keyring (7)).
71 .B KEY_SPEC_PROCESS_KEYRING
72 This specifies the caller's process-specific keyring
73 .RB ( process\-keyring (7)).
75 .B KEY_SPEC_SESSION_KEYRING
76 This specifies the caller's session-specific keyring
77 .RB ( session\-keyring (7)).
79 .B KEY_SPEC_USER_KEYRING
80 This specifies the caller's UID-specific keyring
81 .RB ( user\-keyring (7)).
83 .B KEY_SPEC_USER_SESSION_KEYRING
84 This specifies the caller's UID-session keyring
85 .RB ( user\-session\-keyring (7)).
89 is a string that specifies the key's type.
90 Internally, the kernel defines a number of key types that are
91 available in the core key management code.
92 Among the types that are available for user-space use
93 and can be specified as the
100 Keyrings are special key types that may contain links to sequences of other
102 If this interface is used to create a keyring, then
109 This is a general purpose key type whose payload may be read and updated
110 by user-space applications.
111 The key is kept entirely within kernel memory.
112 The payload for keys of this type is a blob of arbitrary data
113 of up to 32,767 bytes.
115 .IR """logon""" " (since Linux 3.3)"
116 .\" commit 9f6ed2ca257fa8650b876377833e6f14e272848b
117 This key type is essentially the same as
119 but it does not permit the key to read.
120 This is suitable for storing payloads
121 that you do not want to be readable from user space.
123 This key type vets the
125 to ensure that it is qualified by a "service" prefix,
126 by checking to ensure that the
128 contains a ':' that is preceded by other characters.
130 .IR """big_key""" " (since Linux 3.13)"
131 .\" commit ab3c3587f8cda9083209a61dbe3a4407d3cada10
132 This key type is similar to
134 but may hold a payload of up to 1\ MiB.
135 If the key payload is large enough,
136 then it may be stored encrypted in tmpfs
137 (which can be swapped out) rather than kernel memory.
139 For further details on these key types, see
144 returns the serial number of the key it created or updated.
145 On error, \-1 is returned and
147 is set to indicate the error.
151 The keyring wasn't available for modification by the user.
154 The key quota for this user would be exceeded by creating this key or linking
163 points outside process's accessible address space.
166 The size of the string (including the terminating null byte) specified in
170 exceeded the limit (32 bytes and 4096 bytes respectively).
173 The payload data was invalid.
181 was not qualified with a prefix string of the form
185 The keyring has expired.
188 The keyring has been revoked.
191 The keyring doesn't exist.
194 Insufficient memory to create a key.
199 started with a period (\(aq.\(aq).
200 Key types that begin with a period are reserved to the implementation.
208 started with a period (\(aq.\(aq).
209 Keyrings with descriptions (names)
210 that begin with a period are reserved to the implementation.
212 This system call first appeared in Linux 2.6.10.
214 This system call is a nonstandard Linux extension.
216 Glibc does not provide a wrapper for this system call.
217 A wrapper is provided in the
220 (The accompanying package provides the
223 When employing the wrapper in that library, link with
226 The program below creates a key with the type, description, and payload
227 specified in its command-line arguments,
228 and links that key into the session keyring.
229 The following shell session demonstrates the use of the program:
233 $ \fB./a.out user mykey "Some payload"\fP
235 $ \fBgrep \(aq64a4dca\(aq /proc/keys\fP
236 064a4dca I\-\-Q\-\-\- 1 perm 3f010000 1000 1000 user mykey: 12
241 .\" SRC BEGIN (add_key.c)
243 #include <keyutils.h>
250 main(int argc, char *argv[])
255 fprintf(stderr, "Usage: %s type description payload\en",
260 key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]),
261 KEY_SPEC_SESSION_KEYRING);
267 printf("Key ID is %jx\en", (uintmax_t) key);
282 .BR persistent\-keyring (7),
283 .BR process\-keyring (7),
284 .BR session\-keyring (7),
285 .BR thread\-keyring (7),
286 .BR user\-keyring (7),
287 .BR user\-session\-keyring (7)
289 The kernel source files
290 .I Documentation/security/keys/core.rst
292 .I Documentation/keys/request\-key.rst
293 (or, before Linux 4.13, in the files
294 .\" commit b68101a1e8f0263dbc7b8375d2a7c57c6216fb76
295 .I Documentation/security/keys.txt
297 .\" commit 3db38ed76890565772fcca3279cc8d454ea6176b
298 .IR Documentation/security/keys\-request\-key.txt ).