1 .\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
2 .\" Written by David Howells (dhowells@redhat.com)
3 .\" and Copyright (C) 2016 Michael Kerrisk <mtk.man-pages@gmail.com>
5 .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
6 .\" This program is free software; you can redistribute it and/or
7 .\" modify it under the terms of the GNU General Public License
8 .\" as published by the Free Software Foundation; either version
9 .\" 2 of the License, or (at your option) any later version.
12 .TH ADD_KEY 2 2016-07-17 Linux "Linux Key Management Calls"
14 add_key \- add a key to the kernel's key management facility
17 .B #include <sys/types.h>
18 .B #include <keyutils.h>
20 .BI "key_serial_t add_key(const char *" type ", const char *" description ,
21 .BI " const void *" payload ", size_t " plen ,
22 .BI " key_serial_t " keyring ");"
25 No glibc wrapper is provided for this system call; see NOTES.
28 creates or updates a key of the given
32 instantiates it with the
36 attaches it to the nominated
38 and returns the key's serial number.
40 The key may be rejected if the provided data is in the wrong format or
41 it is invalid in some other way.
45 already contains a key that matches the specified
49 then, if the key type supports it,
50 .\" FIXME Which key types support this?
51 that key will be updated rather than a new key being created;
52 if not, a new key (with a different ID) will be created
53 and it will displace the link to the extant key from the keyring.
54 .\" FIXME Perhaps elaborate the implications here? Namely, the new
55 .\" key will have a new ID, and if the old key was a keyring tha
56 .\" is consequently unlinked, then keys that it was anchrorin
57 .\" will have their refgerence count decreased by one (and ma
58 .\" consequently be garbage collected).
62 serial number may be that of a valid keyring for which the caller has
64 permission, or it may be one of the following special keyring IDs:
65 .\" FIXME Perhaps have a separate page describing special keyring IDs?
67 .B KEY_SPEC_THREAD_KEYRING
68 This specifies the caller's thread-specific keyring
69 .RB ( thread-keyring (7)).
71 .B KEY_SPEC_PROCESS_KEYRING
72 This specifies the caller's process-specific keyring
73 .RB ( process-keyring (7)).
75 .B KEY_SPEC_SESSION_KEYRING
76 This specifies the caller's session-specific keyring
77 .RB ( session-keyring (7)).
79 .B KEY_SPEC_USER_KEYRING
80 This specifies the caller's UID-specific keyring
81 .RB ( user-keyring (7)).
83 .B KEY_SPEC_USER_SESSION_KEYRING
84 This specifies the caller's UID-session keyring
85 .RB ( user-session-keyring (7)).
89 is a string that specifies the key's type.
90 Internally, the kernel defines a number of key types that are
91 available in the core key management code.
92 Among the types that are available for user-space use
93 and can be specified as the
100 This is a general purpose key type whose payload may be read and updated
101 by user-space applications.
102 The key is kept entirely within kernel memory.
103 The payload for keys of this type is a blob of arbitrary data
104 of up to 32,767 bytes.
107 Keyrings are special key types that may contain links to sequences of other
109 If this interface is used to create a keyring, then a NULL
111 should be specified, and
115 .IR """logon""" " (since Linux 3.3)"
116 .\" commit 9f6ed2ca257fa8650b876377833e6f14e272848b
117 This key type is essentially the same as
119 but it does not provide reading.
120 This is suitable for storing payloads
121 that you do not want to be readable from user space.
123 This key type vets the
125 to ensure that it is qualified by a "service" prefix,
126 by checking to ensure that the
128 contains a ':' that is preceded by other characters.
130 .IR """big_key""" " (since Linux 3.13)"
131 .\" commit ab3c3587f8cda9083209a61dbe3a4407d3cada10
132 This key type is similar to
134 but may hold a payload of up to 1 MiB.
135 If the key payload is large enough,
136 then it may be stored in tmpfs (which can be swapped out) rather than kernel
139 For further details on these key types, see
144 returns the serial number of the key it created or updated.
145 On error, \-1 is returned and
147 is set to indicate the cause of the error.
151 The keyring wasn't available for modification by the user.
154 The key quota for this user would be exceeded by creating this key or linking
159 .IR type ", " description " or " payload
160 points outside process' accessible address space.
163 The size of the string (including the terminating null byte) specified in
167 exceeded the limit (32 bytes and 4096 bytes respectively).
170 The payload data was invalid.
178 was not qualified with a prefix string of the form
182 The keyring has expired.
185 The keyring has been revoked.
188 The keyring doesn't exist.
191 Insufficient memory to create a key.
206 This system call first appeared in Linux 2.6.10.
208 This system call is a nonstandard Linux extension.
210 No wrapper for this system call is provided in glibc.
211 A wrapper is provided in the
214 When employing the wrapper in that library, link with
217 The program below creates a key with the type, description, and payload
218 specified in its command-line arguments,
219 and links that key into the session keyring.
220 The following shell session demonstrates the use of the program:
224 $ \fB./a.out user mykey "Some payload"\fP
226 $ \fBgrep \(aq64a4dca\(aq /proc/keys\fP
227 064a4dca I--Q--- 1 perm 3f010000 1000 1000 user mykey: 12
233 #include <sys/types.h>
234 #include <keyutils.h>
240 main(int argc, char *argv[])
245 fprintf(stderr, "Usage: %s type description payload\\n",
250 key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]),
251 KEY_SPEC_SESSION_KEYRING);
257 printf("Key ID is %lx\\n", (long) key);
271 .BR persistent\-keyring (7),
272 .BR process\-keyring (7),
273 .BR session\-keyring (7),
274 .BR thread\-keyring (7),
275 .BR user\-keyring (7),
276 .BR user\-session\-keyring (7)
278 The kernel source files
279 .IR Documentation/security/keys.txt
281 .IR Documentation/security/keys\-request\-key.txt .