1ADD_KEY(2) Linux Key Management Calls ADD_KEY(2)
2
6 add_key - add a key to the kernel's key management facility
7
9 #include <sys/types.h>
10 #include <keyutils.h>
11 key_serial_t add_key(const char *type, const char *description,
13 const void *payload, size_t plen,
14 key_serial_t keyring);
15 No glibc wrapper is provided for this system call; see NOTES.
17
19 add_key() creates or updates a key of the given type and description,
20 instantiates it with the payload of length plen, attaches it to the
21 nominated keyring, and returns the key's serial number.
22 The key may be rejected if the provided data is in the wrong format or
24 it is invalid in some other way.
25 If the destination keyring already contains a key that matches the
27 specified type and description, then, if the key type supports it, that
28 key will be updated rather than a new key being created; if not, a new
29 key (with a different ID) will be created and it will displace the link
30 to the extant key from the keyring.
31 The destination keyring serial number may be that of a valid keyring
33 for which the caller has write permission. Alternatively, it may be
34 one of the following special keyring IDs:
35 KEY_SPEC_THREAD_KEYRING
37 This specifies the caller's thread-specific keyring (thread-
38 keyring(7)).
39 KEY_SPEC_PROCESS_KEYRING
41 This specifies the caller's process-specific keyring (process-
42 keyring(7)).
43 KEY_SPEC_SESSION_KEYRING
45 This specifies the caller's session-specific keyring (session-
46 keyring(7)).
47 KEY_SPEC_USER_KEYRING
49 This specifies the caller's UID-specific keyring (user-
50 keyring(7)).
51 KEY_SPEC_USER_SESSION_KEYRING
53 This specifies the caller's UID-session keyring (user-session-
54 keyring(7)).
55 Key types
57 The key type is a string that specifies the key's type. Internally,
58 the kernel defines a number of key types that are available in the core
59 key management code. Among the types that are available for user-space
60 use and can be specified as the type argument to add_key() are the fol‐
61 lowing:
62 "keyring"
64 Keyrings are special key types that may contain links to
65 sequences of other keys of any type. If this interface is used
66 to create a keyring, then payload should be NULL and plen should
67 be zero.
68 "user" This is a general purpose key type whose payload may be read and
70 updated by user-space applications. The key is kept entirely
71 within kernel memory. The payload for keys of this type is a
72 blob of arbitrary data of up to 32,767 bytes.
73 "logon" (since Linux 3.3)
75 This key type is essentially the same as "user", but it does not
76 permit the key to read. This is suitable for storing payloads
77 that you do not want to be readable from user space.
78 This key type vets the description to ensure that it is qualified by a
80 "service" prefix, by checking to ensure that the description contains a
81 ':' that is preceded by other characters.
82 "big_key" (since Linux 3.13)
84 This key type is similar to "user", but may hold a payload of up
85 to 1 MiB. If the key payload is large enough, then it may be
86 stored encrypted in tmpfs (which can be swapped out) rather than
87 kernel memory.
88 For further details on these key types, see keyrings(7).
90
92 On success, add_key() returns the serial number of the key it created
93 or updated. On error, -1 is returned and errno is set to indicate the
94 cause of the error.
95
97 EACCES The keyring wasn't available for modification by the user.
98 EDQUOT The key quota for this user would be exceeded by creating this
100 key or linking it to the keyring.
101 EFAULT One or more of type, description, and payload points outside
103 process's accessible address space.
104 EINVAL The size of the string (including the terminating null byte)
106 specified in type or description exceeded the limit (32 bytes
107 and 4096 bytes respectively).
108 EINVAL The payload data was invalid.
110 EINVAL type was "logon" and the description was not qualified with a
112 prefix string of the form "service:".
113 EKEYEXPIRED
115 The keyring has expired.
116 EKEYREVOKED
118 The keyring has been revoked.
119 ENOKEY The keyring doesn't exist.
121 ENOMEM Insufficient memory to create a key.
123 EPERM The type started with a period ('.'). Key types that begin with
125 a period are reserved to the implementation.
126 EPERM type was "keyring" and the description started with a period
128 ('.'). Keyrings with descriptions (names) that begin with a
129 period are reserved to the implementation.
130
132 This system call first appeared in Linux 2.6.10.
133
135 This system call is a nonstandard Linux extension.
136
138 No wrapper for this system call is provided in glibc. A wrapper is
139 provided in the libkeyutils package. When employing the wrapper in
140 that library, link with -lkeyutils.
141
143 The program below creates a key with the type, description, and payload
144 specified in its command-line arguments, and links that key into the
145 session keyring. The following shell session demonstrates the use of
146 the program:
147 $ ./a.out user mykey "Some payload"
149 Key ID is 64a4dca
150 $ grep '64a4dca' /proc/keys
151 064a4dca I--Q--- 1 perm 3f010000 1000 1000 user mykey: 12
152 Program source
154 #include <sys/types.h>
156 #include <keyutils.h>
157 #include <stdio.h>
158 #include <stdlib.h>
159 #include <string.h>
160 int
162 main(int argc, char *argv[])
163 {
164 key_serial_t key;
165 if (argc != 4) {
167 fprintf(stderr, "Usage: %s type description payload\n",
168 argv[0]);
169 exit(EXIT_FAILURE);
170 }
171 key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]),
173 KEY_SPEC_SESSION_KEYRING);
174 if (key == -1) {
175 perror("add_key");
176 exit(EXIT_FAILURE);
177 }
178 printf("Key ID is %lx\n", (long) key);
180 exit(EXIT_SUCCESS);
182 }
183
185 keyctl(1), keyctl(2), request_key(2), keyctl(3), keyrings(7),
186 keyutils(7), persistent-keyring(7), process-keyring(7),
187 session-keyring(7), thread-keyring(7), user-keyring(7),
188 user-session-keyring(7)
189 The kernel source files Documentation/security/keys/core.rst and
191 Documentation/keys/request-key.rst (or, before Linux 4.13, in the files
192 Documentation/security/keys.txt and
193 Documentation/security/keys-request-key.txt).
194
196 This page is part of release 4.15 of the Linux man-pages project. A
197 description of the project, information about reporting bugs, and the
198 latest version of this page, can be found at
199 https://www.kernel.org/doc/man-pages/.
200Linux 2017-09-15 ADD_KEY(2)