1 .\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
2 .\" Written by David Howells (dhowells@redhat.com)
3 .\" and Copyright (C) 2016 Michael Kerrisk <mtk.man-pages@gmail.com>
5 .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
6 .\" This program is free software; you can redistribute it and/or
7 .\" modify it under the terms of the GNU General Public License
8 .\" as published by the Free Software Foundation; either version
9 .\" 2 of the License, or (at your option) any later version.
12 .TH ADD_KEY 2 2016-07-17 Linux "Linux Key Management Calls"
14 add_key \- add a key to the kernel's key management facility
17 .B #include <sys/types.h>
18 .B #include <keyutils.h>
20 .BI "key_serial_t add_key(const char *" type ", const char *" description ,
21 .BI " const void *" payload ", size_t " plen ,
22 .BI " key_serial_t " keyring ");"
25 No glibc wrapper is provided for this system call; see NOTES.
28 creates or updates a key of the given
32 instantiates it with the
36 attaches it to the nominated
38 and return the key's serial number.
40 The key type may reject the data if it is in the wrong format or
41 is in some other way invalid.
45 already contains a key that matches the specified
49 then, if the key type supports it,
50 that key will be updated rather than a new key being created;
51 if not, a new key (with a different ID) will be created
52 and it will displace the link to the extant key from the keyring.
56 serial number may be that of a valid keyring for which the caller has
58 permission, or it may be one of the following special keyring IDs:
60 .B KEY_SPEC_THREAD_KEYRING
61 This specifies the caller's thread-specific keyring
62 .RB ( thread-keyring (7)).
64 .B KEY_SPEC_PROCESS_KEYRING
65 This specifies the caller's process-specific keyring
66 .RB ( process-keyring (7)).
68 .B KEY_SPEC_SESSION_KEYRING
69 This specifies the caller's session-specific keyring
70 .RB ( session-keyring (7)).
72 .B KEY_SPEC_USER_KEYRING
73 This specifies the caller's UID-specific keyring
74 .RB ( user-keyring (7)).
76 .B KEY_SPEC_USER_SESSION_KEYRING
77 This specifies the caller's UID-session keyring
78 .RB ( user-session-keyring (7)).
82 is a string that specifies the key's type.
83 Internally, the kernel defines a number of key types that are
84 available in the core key management code.
85 The following types are available for user-space use,
86 and can be specified as the
92 The payload for keys of this type is a blob of arbitrary data
93 of up to 32,767 bytes.
96 may be any valid string, though it is preferred that it
97 start with a colon-delimited prefix representing the service
98 to which the key is of interest
100 .IR """afs:mykey""" ).
103 Keyrings are special key types that may contain links to sequences of other
105 If this interface is used to create a keyring, then a NULL
107 should be specified, and
111 .IR """logon""" " (since Linux 3.3)"
112 .\" commit 9f6ed2ca257fa8650b876377833e6f14e272848b
113 This key type is essentially the same as
115 but does not provide reading (i.e., the
119 meaning that the key payload is never visible from user space.
120 This is suitable for storing username and password pairs in the keyring
121 that you do not want to be readable from user space.
123 This key type also vets the
125 to ensure that it is qualified by a "service" prefix,
126 by checking to ensure that the
128 contains a ':' that is preceded by other characters.
130 .IR """big_key""" " (since Linux 3.13)"
131 .\" commit ab3c3587f8cda9083209a61dbe3a4407d3cada10
132 This key type is similar to
134 but may hold a payload of up to 1 MiB.
136 the contents can be saved in a tmpfs filesystem and
137 thus swapped out to disk when memory pressure is high.
138 This key type is useful for tasks such as holding Kerberos ticket caches.
139 .\" David Howells: there are also other key types available for
144 returns the serial number of the key it created or updated.
145 On error, \-1 is returned and
147 is set to indicate the cause of the error.
151 The keyring wasn't available for modification by the user.
154 The key quota for this user would be exceeded by creating this key or linking
158 The size of the string (including the terminating null byte) specified in
162 exceeded the limit (32 bytes and 4096 bytes respectively).
165 The payload data was invalid.
173 was not qualified with a prefix string of the form
177 The keyring has expired.
180 The keyring has been revoked.
183 The keyring doesn't exist.
186 Insufficient memory to create a key.
188 This system call first appeared in Linux 2.6.11.
190 This system call is a nonstandard Linux extension.
192 No wrapper for this system call is provided in glibc.
193 A wrapper is provided in the
196 When employing the wrapper in that library, link with
199 The program below creates a key with the type, description, and payload
200 specified in its command-line arguments,
201 and links that key into the session keyring.
202 The following shell session demonstrates the use of the program:
206 $ \fB./a.out user mykey "Some payload"\fP
208 $ \fBgrep \(aq64a4dca\(aq /proc/keys\fP
209 064a4dca I--Q--- 1 perm 3f010000 1000 1000 user mykey: 12
215 #include <sys/types.h>
216 #include <keyutils.h>
221 #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \\
225 main(int argc, char *argv[])
230 fprintf(stderr, "Usage: %s type description payload\\n",
235 key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]),
236 KEY_SPEC_SESSION_KEYRING);
240 printf("Key ID is %lx\\n", (long) key);
254 .BR persistent\-keyring (7),
255 .BR process\-keyring (7),
256 .BR session\-keyring (7),
257 .BR thread\-keyring (7),
258 .BR user\-keyring (7),
259 .BR user\-session\-keyring (7)
261 The kernel source files
262 .IR Documentation/security/keys.txt
264 .IR Documentation/security/keys\-request\-key.txt .