1 .\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
2 .\" Written by David Howells (dhowells@redhat.com)
3 .\" and Copyright (C) 2016 Michael Kerrisk <mtk.man-pages@gmail.com>
5 .\" SPDX-License-Identifier: GPL-2.0-or-later
7 .TH ADD_KEY 2 2021-08-27 Linux "Linux Key Management Calls"
9 add_key \- add a key to the kernel's key management facility
12 .B #include <keyutils.h>
14 .BI "key_serial_t add_key(const char *" type ", const char *" description ,
15 .BI " const void *" payload ", size_t " plen ,
16 .BI " key_serial_t " keyring ");"
20 There is no glibc wrapper for this system call; see NOTES.
23 creates or updates a key of the given
27 instantiates it with the
31 attaches it to the nominated
33 and returns the key's serial number.
35 The key may be rejected if the provided data is in the wrong format or
36 it is invalid in some other way.
40 already contains a key that matches the specified
44 then, if the key type supports it,
45 .\" FIXME The aforementioned phrases begs the question:
46 .\" which key types support this?
47 that key will be updated rather than a new key being created;
48 if not, a new key (with a different ID) will be created
49 and it will displace the link to the extant key from the keyring.
50 .\" FIXME Perhaps elaborate the implications here? Namely, the new
51 .\" key will have a new ID, and if the old key was a keyring that
52 .\" is consequently unlinked, then keys that it was anchoring
53 .\" will have their reference count decreased by one (and may
54 .\" consequently be garbage collected). Is this all correct?
58 serial number may be that of a valid keyring for which the caller has
61 Alternatively, it may be one of the following special keyring IDs:
62 .\" FIXME . Perhaps have a separate page describing special keyring IDs?
64 .B KEY_SPEC_THREAD_KEYRING
65 This specifies the caller's thread-specific keyring
66 .RB ( thread\-keyring (7)).
68 .B KEY_SPEC_PROCESS_KEYRING
69 This specifies the caller's process-specific keyring
70 .RB ( process\-keyring (7)).
72 .B KEY_SPEC_SESSION_KEYRING
73 This specifies the caller's session-specific keyring
74 .RB ( session\-keyring (7)).
76 .B KEY_SPEC_USER_KEYRING
77 This specifies the caller's UID-specific keyring
78 .RB ( user\-keyring (7)).
80 .B KEY_SPEC_USER_SESSION_KEYRING
81 This specifies the caller's UID-session keyring
82 .RB ( user\-session\-keyring (7)).
86 is a string that specifies the key's type.
87 Internally, the kernel defines a number of key types that are
88 available in the core key management code.
89 Among the types that are available for user-space use
90 and can be specified as the
97 Keyrings are special key types that may contain links to sequences of other
99 If this interface is used to create a keyring, then
106 This is a general purpose key type whose payload may be read and updated
107 by user-space applications.
108 The key is kept entirely within kernel memory.
109 The payload for keys of this type is a blob of arbitrary data
110 of up to 32,767 bytes.
112 .IR """logon""" " (since Linux 3.3)"
113 .\" commit 9f6ed2ca257fa8650b876377833e6f14e272848b
114 This key type is essentially the same as
116 but it does not permit the key to read.
117 This is suitable for storing payloads
118 that you do not want to be readable from user space.
120 This key type vets the
122 to ensure that it is qualified by a "service" prefix,
123 by checking to ensure that the
125 contains a ':' that is preceded by other characters.
127 .IR """big_key""" " (since Linux 3.13)"
128 .\" commit ab3c3587f8cda9083209a61dbe3a4407d3cada10
129 This key type is similar to
131 but may hold a payload of up to 1\ MiB.
132 If the key payload is large enough,
133 then it may be stored encrypted in tmpfs
134 (which can be swapped out) rather than kernel memory.
136 For further details on these key types, see
141 returns the serial number of the key it created or updated.
142 On error, \-1 is returned and
144 is set to indicate the error.
148 The keyring wasn't available for modification by the user.
151 The key quota for this user would be exceeded by creating this key or linking
160 points outside process's accessible address space.
163 The size of the string (including the terminating null byte) specified in
167 exceeded the limit (32 bytes and 4096 bytes respectively).
170 The payload data was invalid.
178 was not qualified with a prefix string of the form
182 The keyring has expired.
185 The keyring has been revoked.
188 The keyring doesn't exist.
191 Insufficient memory to create a key.
196 started with a period (\(aq.\(aq).
197 Key types that begin with a period are reserved to the implementation.
205 started with a period (\(aq.\(aq).
206 Keyrings with descriptions (names)
207 that begin with a period are reserved to the implementation.
209 This system call first appeared in Linux 2.6.10.
211 This system call is a nonstandard Linux extension.
213 Glibc does not provide a wrapper for this system call.
214 A wrapper is provided in the
217 (The accompanying package provides the
220 When employing the wrapper in that library, link with
223 The program below creates a key with the type, description, and payload
224 specified in its command-line arguments,
225 and links that key into the session keyring.
226 The following shell session demonstrates the use of the program:
230 $ \fB./a.out user mykey "Some payload"\fP
232 $ \fBgrep \(aq64a4dca\(aq /proc/keys\fP
233 064a4dca I\-\-Q\-\-\- 1 perm 3f010000 1000 1000 user mykey: 12
239 #include <sys/types.h>
240 #include <keyutils.h>
247 main(int argc, char *argv[])
252 fprintf(stderr, "Usage: %s type description payload\en",
257 key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]),
258 KEY_SPEC_SESSION_KEYRING);
264 printf("Key ID is %jx\en", (uintmax_t) key);
278 .BR persistent\-keyring (7),
279 .BR process\-keyring (7),
280 .BR session\-keyring (7),
281 .BR thread\-keyring (7),
282 .BR user\-keyring (7),
283 .BR user\-session\-keyring (7)
285 The kernel source files
286 .IR Documentation/security/keys/core.rst
288 .IR Documentation/keys/request\-key.rst
289 (or, before Linux 4.13, in the files
290 .\" commit b68101a1e8f0263dbc7b8375d2a7c57c6216fb76
291 .IR Documentation/security/keys.txt
293 .\" commit 3db38ed76890565772fcca3279cc8d454ea6176b
294 .IR Documentation/security/keys\-request\-key.txt ).