1KEYCTL(1) Linux Key Management Utilities KEYCTL(1)
2
6 keyctl - key management facility control
7
9 keyctl --version
10 keyctl supports [<cap>]
11 keyctl show [-x] [<keyring>]
12 keyctl add <type> <desc> <data> <keyring>
13 keyctl padd <type> <desc> <keyring>
14 keyctl request <type> <desc> [<dest_keyring>]
15 keyctl request2 <type> <desc> <info> [<dest_keyring>]
16 keyctl prequest2 <type> <desc> [<dest_keyring>]
17 keyctl update <key> <data>
18 keyctl pupdate <key>
19 keyctl newring <name> <keyring>
20 keyctl revoke <key>
21 keyctl clear <keyring>
22 keyctl link <key> <keyring>
23 keyctl unlink <key> [<keyring>]
24 keyctl move [-f] <key> <from_keyring> <to_keyring>
25 keyctl search <keyring> <type> <desc> [<dest_keyring>]
26 keyctl restrict_keyring <keyring> [<type> [<restriction>]]
27 keyctl read <key>
28 keyctl pipe <key>
29 keyctl print <key>
30 keyctl list <keyring>
31 keyctl rlist <keyring>
32 keyctl describe <keyring>
33 keyctl rdescribe <keyring> [sep]
34 keyctl chown <key> <uid>
35 keyctl chgrp <key> <gid>
36 keyctl setperm <key> <mask>
37 keyctl new_session
38 keyctl session
39 keyctl session - [<prog> <arg1> <arg2> ...]
40 keyctl session <name> [<prog> <arg1> <arg2> ...]
41 keyctl instantiate <key> <data> <keyring>
42 keyctl pinstantiate <key> <keyring>
43 keyctl negate <key> <timeout> <keyring>
44 keyctl reject <key> <timeout> <error> <keyring>
45 keyctl timeout <key> <timeout>
46 keyctl security <key>
47 keyctl reap [-v]
48 keyctl purge <type>
49 keyctl purge [-i] [-p] <type> <desc>
50 keyctl purge -s <type> <desc>
51 keyctl get_persistent <keyring> [<uid>]
52 keyctl dh_compute <private> <prime> <base>
53 keyctl dh_compute_kdf <private> <prime> <base> <output_length>
54 <hash_type>
55 keyctl dh_compute_kdf_oi <private> <prime> <base> <output_length>
56 <hash_type>
57 keyctl pkey_query <key> <pass> [k=v]*
58 keyctl pkey_encrypt <key> <pass> <datafile> [k=v]* ><encfile>
59 keyctl pkey_decrypt <key> <pass> <encfile> [k=v]* ><datafile>
60 keyctl pkey_sign <key> <pass> <datafile> [k=v]* ><sigfile>
61 keyctl pkey_decrypt <key> <pass> <datafile> <sigfile> [k=v]*
62
64 This program is used to control the key management facility in various
65 ways using a variety of subcommands.
66
68 The key identifiers passed to or returned from keyctl are, in general,
69 positive integers. There are, however, some special values with special
70 meanings that can be passed as arguments:
71 No key: 0
73 Thread keyring: @t or -1
75 Each thread may have its own keyring. This is searched first,
76 before all others. The thread keyring is replaced by (v)fork,
77 exec and clone.
78 Process keyring: @p or -2
80 Each process (thread group) may have its own keyring. This is
81 shared between all members of a group and will be searched after
82 the thread keyring. The process keyring is replaced by (v)fork
83 and exec.
84 Session keyring: @s or -3
86 Each process subscribes to a session keyring that is inherited
87 across (v)fork, exec and clone. This is searched after the
88 process keyring. Session keyrings can be named and an extant
89 keyring can be joined in place of a process's current session
90 keyring.
91 User specific keyring: @u or -4
93 This keyring is shared between all the processes owned by a par‐
94 ticular user. It isn't searched directly, but is normally linked
95 to from the session keyring.
96 User default session keyring: @us or -5
98 This is the default session keyring for a particular user. Login
99 processes that change to a particular user will bind to this
100 session until another session is set.
101 Group specific keyring: @g or -6
103 This is a place holder for a group specific keyring, but is not
104 actually implemented yet in the kernel.
105 Assumed request_key authorisation key: @a or -7
107 This selects the authorisation key provided to the request_key()
108 helper to permit it to access the callers keyrings and instanti‐
109 ate the target key.
110 Keyring by name: %:<name>
112 A named keyring. This will be searched for in the process's
113 keyrings and in /proc/keys.
114 Key by name: %<type>:<name>
116 A named key of the given type. This will be searched for in the
117 process's keyrings and in /proc/keys.
118
120 Any non-ambiguous shortening of a command name may be used in lieu of
121 the full command name. This facility should not be used in scripting as
122 new commands may be added in future that then cause ambiguity.
123 Display the package version number
125 keyctl --version
126 This command prints the package version number and build date and
128 exits:
129 $ keyctl --version
131 keyctl from keyutils-1.5.3 (Built 2011-08-24)
132 Query subsystem capabilities
134 keyctl supports [<cap>]
135 This command can list the available capabilities:
137 $ keyctl supports
139 have_capabilities=0
140 have_persistent_keyrings=1
141 have_dh_compute=1
142 have_public_key=1
143 And it can query a capability:
145 $ keyctl supports pkey
147 echo $?
148 0
149 which returns 0 if the capability is supported, 1 if it isn't and 3 if
151 the name is not recognised. The capabilities supported are:
152 capabilities
154 The kernel supports capability querying. If not, the other
155 capabilities will be queried as best libkeyutils can manage.
156 persistent_keyrings
158 The kernel supports persistent keyrings.
159 dh_compute
161 The kernel supports Diffie-Hellman computation operations.
162 public_key
164 The kernel supports public key operations.
165 big_key_type
167 The kernel supports the big_key key type.
168 key_invalidate
170 The kernel supports the invalidate key operaiton.
171 restrict_keyring
173 The kernel supports the restrict_keyring operation.
174 move_key
176 The kernel supports the move key operation.
177 Show process keyrings
180 keyctl show [-x] [<keyring>]
181 By default this command recursively shows what keyrings a process is
183 subscribed to and what keys and keyrings they contain. If a keyring is
184 specified then that keyring will be dumped instead. If -x is specified
185 then the keyring IDs will be dumped in hex instead of decimal.
186 Add a key to a keyring
188 keyctl add <type> <desc> <data> <keyring>
189 keyctl padd <type> <desc> <keyring>
190 This command creates a key of the specified type and description;
192 instantiates it with the given data and attaches it to the specified
193 keyring. It then prints the new key's ID on stdout:
194 $ keyctl add user mykey stuff @u
196 26
197 The padd variant of the command reads the data from stdin rather than
199 taking it from the command line:
200 $ echo -n stuff | keyctl padd user mykey @u 26
202 Request a key
204 keyctl request <type> <desc> [<dest_keyring>]
205 keyctl request2 <type> <desc> <info> [<dest_keyring>]
206 keyctl prequest2 <type> <desc> [<dest_keyring>]
207 These three commands request the lookup of a key of the given type and
209 description. The process's keyrings will be searched, and if a match is
210 found the matching key's ID will be printed to stdout; and if a desti‐
211 nation keyring is given, the key will be added to that keyring also.
212 If there is no key, the first command will simply return the error
214 ENOKEY and fail. The second and third commands will create a partial
215 key with the type and description, and call out to /sbin/request-key
216 with that key and the extra information supplied. This will then
217 attempt to instantiate the key in some manner, such that a valid key is
218 obtained.
219 The third command is like the second, except that the callout informa‐
221 tion is read from stdin rather than being passed on the command line.
222 If a valid key is obtained, the ID will be printed and the key attached
224 as if the original search had succeeded.
225 If there wasn't a valid key obtained, a temporary negative key will be
227 attached to the destination keyring if given and the error "Requested
228 key not available" will be given.
229 $ keyctl request2 user debug:hello wibble
231 23
232 $ echo -n wibble | keyctl prequest2 user debug:hello
233 23
234 $ keyctl request user debug:hello
235 23
236 Update a key
238 keyctl update <key> <data>
239 keyctl pupdate <key>
240 This command replaces the data attached to a key with a new set of
242 data. If the type of the key doesn't support update then error "Opera‐
243 tion not supported" will be returned.
244 $ keyctl update 23 zebra
246 The pupdate variant of the command reads the data from stdin rather
248 than taking it from the command line:
249 $ echo -n zebra | keyctl pupdate 23
251 Create a keyring
253 keyctl newring <name> <keyring>
254 This command creates a new keyring of the specified name and attaches
256 it to the specified keyring. The ID of the new keyring will be printed
257 to stdout if successful.
258 $ keyctl newring squelch @us
260 27
261 Revoke a key
263 keyctl revoke <key>
264 This command marks a key as being revoked. Any further operations on
266 that key (apart from unlinking it) will return error "Key has been
267 revoked".
268 $ keyctl revoke 26
270 $ keyctl describe 26
271 keyctl_describe: Key has been revoked
272 Clear a keyring
274 keyctl clear <keyring>
275 This command unlinks all the keys attached to the specified keyring.
277 Error "Not a directory" will be returned if the key specified is not a
278 keyring.
279 $ keyctl clear 27
281 Link a key to a keyring
283 keyctl link <key> <keyring>
284 This command makes a link from the key to the keyring if there's enough
286 capacity to do so. Error "Not a directory" will be returned if the des‐
287 tination is not a keyring. Error "Permission denied" will be returned
288 if the key doesn't have link permission or the keyring doesn't have
289 write permission. Error "File table overflow" will be returned if the
290 keyring is full. Error "Resource deadlock avoided" will be returned if
291 an attempt was made to introduce a recursive link.
292 $ keyctl link 23 27
294 $ keyctl link 27 27
295 keyctl_link: Resource deadlock avoided
296 Unlink a key from a keyring or the session keyring tree
298 keyctl unlink <key> [<keyring>]
299 If the keyring is specified, this command removes a link to the key
301 from the keyring. Error "Not a directory" will be returned if the des‐
302 tination is not a keyring. Error "Permission denied" will be returned
303 if the keyring doesn't have write permission. Error "No such file or
304 directory" will be returned if the key is not linked to by the keyring.
305 If the keyring is not specified, this command performs a depth-first
307 search of the session keyring tree and removes all the links to the
308 nominated key that it finds (and that it is permitted to remove). It
309 prints the number of successful unlinks before exiting.
310 $ keyctl unlink 23 27
312 Move a key between keyrings.
314 keyctl move [-f] <key> <from_keyring> <to_keyring>
315 This command moves a key from one keyring to another, atomically com‐
317 bining "keyctl unlink <key> <from_keyring>" and "keyctl link <key>
318 <to_keyring>".
319 If the "-f" flag is present, any matching key will be displaced from
321 "to_keyring"; if not present, the command will fail with the error mes‐
322 sage "File exists" if the key would otherwise displace another key from
323 "to_keyring".
324 $ keyctl move 23 27 29
326 $ keyctl move -f 71 @u @s
327 Search a keyring
329 keyctl search <keyring> <type> <desc> [<dest_keyring>]
330 This command non-recursively searches a keyring for a key of a particu‐
332 lar type and description. If found, the ID of the key will be printed
333 on stdout and the key will be attached to the destination keyring if
334 present. Error "Requested key not available" will be returned if the
335 key is not found.
336 $ keyctl search @us user debug:hello
338 23
339 $ keyctl search @us user debug:bye
340 keyctl_search: Requested key not available
341 Restrict a keyring
343 keyctl restrict_keyring <keyring> [<type> [<restriction>]]
344 This command limits the linkage of keys to the given keyring using a
346 provided restriction scheme. The scheme is associated with a given key
347 type, with further details provided in the restriction option string.
348 Options typically contain a restriction name possibly followed by key
349 ids or other data relevant to the restriction. If no restriction scheme
350 is provided, the keyring will reject all links.
351 $ keyctl restrict_keyring $1 asymmetric builtin_trusted
353 Read a key
355 keyctl read <key>
356 keyctl pipe <key>
357 keyctl print <key>
358 These commands read the payload of a key. "read" prints it on stdout as
360 a hex dump, "pipe" dumps the raw data to stdout and "print" dumps it to
361 stdout directly if it's entirely printable or as a hexdump preceded by
362 ":hex:" if not.
363 If the key type does not support reading of the payload, then error
365 "Operation not supported" will be returned.
366 $ keyctl read 26
368 1 bytes of data in key:
369 62
370 $ keyctl print 26
371 b
372 $ keyctl pipe 26
373 $
374 List a keyring
376 keyctl list <keyring>
377 keyctl rlist <keyring>
378 These commands list the contents of a key as a keyring. "list" pretty
380 prints the contents and "rlist" just produces a space-separated list of
381 key IDs.
382 No attempt is made to check that the specified keyring is a keyring.
384 $ keyctl list @us
386 2 keys in keyring:
387 22: vrwsl---------- 4043 -1 keyring: _uid.4043
388 23: vrwsl---------- 4043 4043 user: debug:hello
389 $ keyctl rlist @us
390 22 23
391 Describe a key
393 keyctl describe <keyring>
394 keyctl rdescribe <keyring> [sep]
395 These commands fetch a description of a keyring. "describe" pretty
397 prints the description in the same fashion as the "list" command; "rde‐
398 scribe" prints the raw data returned from the kernel.
399 $ keyctl describe @us
401 -5: vrwsl---------- 4043 -1 keyring: _uid_ses.4043
402 $ keyctl rdescribe @us
403 keyring;4043;-1;3f1f0000;_uid_ses.4043
404 The raw string is "<type>;<uid>;<gid>;<perms>;<description>", where uid
406 and gid are the decimal user and group IDs, perms is the permissions
407 mask in hex, type and description are the type name and description
408 strings (neither of which will contain semicolons).
409 Change the access controls on a key
411 keyctl chown <key> <uid>
412 keyctl chgrp <key> <gid>
413 These two commands change the UID and GID associated with evaluating a
415 key's permissions mask. The UID also governs which quota a key is taken
416 out of.
417 The chown command is not currently supported; attempting it will earn
419 the error "Operation not supported" at best.
420 For non-superuser users, the GID may only be set to the process's GID
422 or a GID in the process's groups list. The superuser may set any GID it
423 likes.
424 $ sudo keyctl chown 27 0
426 keyctl_chown: Operation not supported
427 $ sudo keyctl chgrp 27 0
428 Set the permissions mask on a key
430 keyctl setperm <key> <mask>
431 This command changes the permission control mask on a key. The mask may
433 be specified as a hex number if it begins "0x", an octal number if it
434 begins "0" or a decimal number otherwise.
435 The hex numbers are a combination of:
437 Possessor UID GID Other Permission Granted
439 ======== ======== ======== ======== ==================
440 01000000 00010000 00000100 00000001 View
441 02000000 00020000 00000200 00000002 Read
442 04000000 00040000 00000400 00000004 Write
443 08000000 00080000 00000800 00000008 Search
444 10000000 00100000 00001000 00000010 Link
445 20000000 00200000 00002000 00000020 Set Attribute
446 3f000000 003f0000 00003f00 0000003f All
447 View permits the type, description and other parameters of a key to be
449 viewed.
450 Read permits the payload (or keyring list) to be read if supported by
452 the type.
453 Write permits the payload (or keyring list) to be modified or updated.
455 Search on a key permits it to be found when a keyring to which it is
457 linked is searched.
458 Link permits a key to be linked to a keyring.
460 Set Attribute permits a key to have its owner, group membership, per‐
462 missions mask and timeout changed.
463 $ keyctl setperm 27 0x1f1f1f00
465 Start a new session with fresh keyrings
467 keyctl session
468 keyctl session - [<prog> <arg1> <arg2> ...]
469 keyctl session <name> [<prog> <arg1> <arg2> ...]
470 These commands join or create a new keyring and then run a shell or
472 other program with that keyring as the session key.
473 The variation with no arguments just creates an anonymous session
475 keyring and attaches that as the session keyring; it then exec's
476 $SHELL.
477 The variation with a dash in place of a name creates an anonymous ses‐
479 sion keyring and attaches that as the session keyring; it then exec's
480 the supplied command, or $SHELL if one isn't supplied.
481 The variation with a name supplied creates or joins the named keyring
483 and attaches that as the session keyring; it then exec's the supplied
484 command, or $SHELL if one isn't supplied.
485 $ keyctl rdescribe @s
487 keyring;4043;-1;3f1f0000;_uid_ses.4043
488 $ keyctl session
490 Joined session keyring: 28
491 $ keyctl rdescribe @s
493 keyring;4043;4043;3f1f0000;_ses.24082
494 $ keyctl session -
496 Joined session keyring: 29
497 $ keyctl rdescribe @s
498 keyring;4043;4043;3f1f0000;_ses.24139
499 $ keyctl session - keyctl rdescribe @s
501 Joined session keyring: 30
502 keyring;4043;4043;3f1f0000;_ses.24185
503 $ keyctl session fish
505 Joined session keyring: 34
506 $ keyctl rdescribe @s
507 keyring;4043;4043;3f1f0000;fish
508 $ keyctl session fish keyctl rdesc @s
510 Joined session keyring: 35
511 keyring;4043;4043;3f1f0000;fish
512 Instantiate a key
514 keyctl instantiate <key> <data> <keyring>
515 keyctl pinstantiate <key> <keyring>
516 keyctl negate <key> <timeout> <keyring>
517 keyctl reject <key> <timeout> <error> <keyring>
518 These commands are used to attach data to a partially set up key (as
520 created by the kernel and passed to /sbin/request-key). "instantiate"
521 marks a key as being valid and attaches the data as the payload.
522 "negate" and "reject" mark a key as invalid and sets a timeout on it so
523 that it'll go away after a while. This prevents a lot of quickly
524 sequential requests from slowing the system down overmuch when they all
525 fail, as all subsequent requests will then fail with error "Requested
526 key not found" (if negated) or the specified error (if rejected) until
527 the negative key has expired.
528 Reject's error argument can either be a UNIX error number or one of
530 'rejected', 'expired' or 'revoked'.
531 The newly instantiated key will be attached to the specified keyring.
533 These commands may only be run from the program run by request-key - a
535 special authorisation key is set up by the kernel and attached to the
536 request-key's session keyring. This special key is revoked once the key
537 to which it refers has been instantiated one way or another.
538 $ keyctl instantiate $1 "Debug $3" $4
540 $ keyctl negate $1 30 $4
541 $ keyctl reject $1 30 64 $4
542 The pinstantiate variant of the command reads the data from stdin
544 rather than taking it from the command line:
545 $ echo -n "Debug $3" | keyctl pinstantiate $1 $4
547 Set the expiry time on a key
549 keyctl timeout <key> <timeout>
550 This command is used to set the timeout on a key, or clear an existing
552 timeout if the value specified is zero. The timeout is given as a num‐
553 ber of seconds into the future.
554 $ keyctl timeout $1 45
556 Retrieve a key's security context
558 keyctl security <key>
559 This command is used to retrieve a key's LSM security context. The
561 label is printed on stdout.
562 $ keyctl security @s
564 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
565 Give the parent process a new session keyring
567 keyctl new_session
568 This command is used to give the invoking process (typically a shell) a
570 new session keyring, discarding its old session keyring.
571 $ keyctl session foo
573 Joined session keyring: 723488146
574 $ keyctl show
575 Session Keyring
576 -3 --alswrv 0 0 keyring: foo
577 $ keyctl new_session
578 490511412
579 $ keyctl show
580 Session Keyring
581 -3 --alswrv 0 0 keyring: _ses
582 Note that this affects the parent of the process that invokes the sys‐
584 tem call, and so may only affect processes with matching credentials.
585 Furthermore, the change does not take effect till the parent process
586 next transitions from kernel space to user space - typically when the
587 wait() system call returns.
588 Remove dead keys from the session keyring tree
590 keyctl reap
591 This command performs a depth-first search of the caller's session
593 keyring tree and attempts to unlink any key that it finds that is inac‐
594 cessible due to expiry, revocation, rejection or negation. It does not
595 attempt to remove live keys that are unavailable simply due to a lack
596 of granted permission.
597 A key that is designated reapable will only be removed from a keyring
599 if the caller has Write permission on that keyring, and only keyrings
600 that grant Search permission to the caller will be searched.
601 The command prints the number of keys reaped before it exits. If the
603 -v flag is passed then the reaped keys are listed as they're being
604 reaped, together with the success or failure of the unlink.
605 Remove matching keys from the session keyring tree
607 keyctl purge <type>
608 keyctl purge [-i] [-p] <type> <desc>
609 keyctl purge -s <type> <desc>
610 These commands perform a depth-first search to find matching keys in
612 the caller's session keyring tree and attempts to unlink them. The
613 number of keys successfully unlinked is printed at the end.
614 The keyrings must grant Read and View permission to the caller to be
616 searched, and the keys to be removed must also grant View permission.
617 Keys can only be removed from keyrings that grant Write permission.
618 The first variant purges all keys of the specified type.
620 The second variant purges all keys of the specified type that also
622 match the given description literally. The -i flag allows a case-inde‐
623 pendent match and the -p flag allows a prefix match.
624 The third variant purges all keys of the specified type and matching
626 description using the key type's comparator in the kernel to match the
627 description. This permits the key type to match a key with a variety
628 of descriptions.
629 Get persistent keyring
631 keyctl get_persistent <keyring> [<uid>]
632 This command gets the persistent keyring for either the current UID or
634 the specified UID and attaches it to the nominated keyring. The per‐
635 sistent keyring's ID will be printed on stdout.
636 The kernel will create the keyring if it doesn't exist and every time
638 this command is called, will reset the expiration timeout on the
639 keyring to the value in:
640 /proc/sys/kernel/keys/persistent_keyring_expiry
642 (by default three days). Should the timeout be reached, the persistent
644 keyring will be removed and everything it pins can then be garbage col‐
645 lected.
646 If a UID other than the process's real or effective UIDs is specified,
648 then an error will be given if the process does not have the CAP_SETUID
649 capability.
650 Compute a Diffie-Hellman shared secret or public key
652 keyctl dh_compute <private> <prime> <base>
653 This command computes either a Diffie-Hellman shared secret or the pub‐
655 lic key corresponding to the provided private key using the payloads of
656 three keys. The computation is:
657 base ^ private (mod prime)
659 The three inputs must be user keys with read permission. If the pro‐
661 vided base key contains the shared generator value, the public key will
662 be computed. If the provided base key contains the remote public key
663 value, the shared secret will be computed.
664 The result is printed to stdout as a hex dump.
666 $ keyctl dh_compute $1 $2 $3
668 8 bytes of data in result:
669 00010203 04050607
670 Compute a Diffie-Hellman shared secret and derive key material
672 keyctl dh_compute_kdf <private> <prime> <base> <output_length>
673 <hash_type>
674 This command computes a Diffie-Hellman shared secret and derives key
676 material from the shared secret using a key derivation function (KDF).
677 The shared secret is derived as outlined above and is input to the KDF
678 using the specified hash type. The hash type must point to a hash name
679 known to the kernel crypto API.
680 The operation derives key material of the length specified by the call‐
682 er.
683 The operation is compliant to the specification of SP800-56A.
685 The result is printed to stdout as hex dump.
687 Compute a Diffie-Hellman shared secret and apply KDF with other input
689 keyctl dh_compute_kdf_oi <private> <prime> <base> <output_length>
690 <hash_type>
691 This command is identical to the command dh_compute_kdf to generate a
693 Diffie-Hellman shared secret followed by a key derivation operation.
694 This command allows the caller to provide the other input data (OI
695 data) compliant to SP800-56A via stdin.
696 Perform public-key operations with an asymmetric key
698 keyctl pkey_query <key> <pass> [k=v]*
699 keyctl pkey_encrypt <key> <pass> <datafile> [k=v]* > <encfile>
700 keyctl pkey_decrypt <key> <pass> <encfile> [k=v]* > <datafile>
701 keyctl pkey_sign <key> <pass> <datafile> [k=v]* > <sigfile>
702 keyctl pkey_verify <key> <pass> <datafile> <sigfile> [k=v]*
703 These commands query an asymmetric key, encrypt data with it, decrypt
705 the encrypted data, generate a signature over some data and verify that
706 signature. For encrypt, decrypt and sign, the resulting data is writ‐
707 ten to stdout; verify reads the data and the signature files and com‐
708 pares them.
709 [!] NOTE that the data is of very limited capacity, with no more bits
711 than the size of the key. For signatures, the caller is expected to
712 digest the actual data and pass in the result of the digest as the
713 datafile. The name of the digest should be specified on the end of the
714 command line as "hash=<name>".
715 The key ID indicates the key to use; pass is a placeholder for future
717 password provision and should be "0" for the moment; datafile is the
718 unencrypted data to be encrypted, signed or to have its signature
719 checked; encfile is a file containing encrypted data; and sigfile is a
720 file containing a signature.
721 A list of parameters in "key[=val]" form can be included on the end of
723 the command line. These specify things like the digest algorithm used
724 ("hash=<name>") or the encoding form ("enc=<type>").
725 k=`keyctl padd asymmetric "" @s <key.pkcs8.der`
727 keyctl pkey_query $k 0 enc=pkcs1 hash=sha256
728 keyctl pkey_encrypt $k 0 foo.hash enc=pkcs1 >foo.enc
729 keyctl pkey_decrypt $k 0 foo.enc enc=pkcs1 >foo.hash
730 keyctl pkey_sign $k 0 foo.hash enc=pkcs1 hash=sha256 >foo.sig
731 keyctl pkey_verify $k 0 foo.hash foo.sig enc=pkcs1 hash=sha256
732 See asymmetric-key(7) for more information.
734
737 There are a number of common errors returned by this program:
738 "Not a directory" - a key wasn't a keyring.
740 "Requested key not found" - the looked for key isn't available.
742 "Key has been revoked" - a revoked key was accessed.
744 "Key has expired" - an expired key was accessed.
746 "Permission denied" - permission was denied by a UID/GID/mask combina‐
748 tion.
749
751 keyctl(1), keyctl(2), request_key(2), keyctl(3), request-key.conf(5),
752 keyrings(7), request-key(8)
753Linux 20 Feb 2014 KEYCTL(1)