HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |LIBRARY |SYNOPSIS |DESCRIPTION |RETURN VALUE |ERRORS |STANDARDS |HISTORY |NOTES |EXAMPLES |SEE ALSO |COLOPHON | |
add_key(2) System Calls Manualadd_key(2)add_key - add a key to the kernel's key management facility
Standard C library (libc,-lc)
#include <keyutils.h>key_serial_t add_key(size_t size;const char *type, const char *description,const voidpayload[size], size_tsize,key_serial_tkeyring);Note: There is no glibc wrapper for this system call; see NOTES.
add_key() creates or updates a key of the giventype anddescription, instantiates it with thepayload of sizesize, attaches it to the nominatedkeyring, and returns the key's serial number. The key may be rejected if the provided data is in the wrong format or it is invalid in some other way. If the destinationkeyring already contains a key that matches the specifiedtype anddescription, then, if the key type supports it, that key will be updated rather than a new key being created; if not, a new key (with a different ID) will be created and it will displace the link to the extant key from the keyring. The destinationkeyring serial number may be that of a valid keyring for which the caller haswrite permission. Alternatively, it may be one of the following special keyring IDs:KEY_SPEC_THREAD_KEYRING This specifies the caller's thread-specific keyring (thread-keyring(7)).KEY_SPEC_PROCESS_KEYRING This specifies the caller's process-specific keyring (process-keyring(7)).KEY_SPEC_SESSION_KEYRING This specifies the caller's session-specific keyring (session-keyring(7)).KEY_SPEC_USER_KEYRING This specifies the caller's UID-specific keyring (user-keyring(7)).KEY_SPEC_USER_SESSION_KEYRING This specifies the caller's UID-session keyring (user-session-keyring(7)).Key types The keytype is a string that specifies the key's type. Internally, the kernel defines a number of key types that are available in the core key management code. Among the types that are available for user-space use and can be specified as thetype argument toadd_key() are the following:"keyring" Keyrings are special key types that may contain links to sequences of other keys of any type. If this interface is used to create a keyring, thenpayload should be NULL andsize should be zero."user" This is a general purpose key type whose payload may be read and updated by user-space applications. The key is kept entirely within kernel memory. The payload for keys of this type is a blob of arbitrary data of up to 32,767 bytes."logon" (since Linux 3.3) This key type is essentially the same as"user", but it does not permit the key to read. This is suitable for storing payloads that you do not want to be readable from user space. This key type vets thedescription to ensure that it is qualified by a "service" prefix, by checking to ensure that thedescription contains a ':' that is preceded by other characters."big_key" (since Linux 3.13) This key type is similar to"user", but may hold a payload of up to 1 MiB. If the key payload is large enough, then it may be stored encrypted in tmpfs (which can be swapped out) rather than kernel memory. For further details on these key types, seekeyrings(7).
On success,add_key() returns the serial number of the key it created or updated. On error, -1 is returned anderrno is set to indicate the error.
EACCESThe keyring wasn't available for modification by the user.EDQUOTThe key quota for this user would be exceeded by creating this key or linking it to the keyring.EFAULTOne or more oftype,description, andpayload points outside process's accessible address space.EINVALThe size of the string (including the terminating null byte) specified intype ordescription exceeded the limit (32 bytes and 4096 bytes respectively).EINVALThe payload data was invalid.EINVALtype was"logon" and thedescription was not qualified with a prefix string of the form"service:".EKEYEXPIRED The keyring has expired.EKEYREVOKED The keyring has been revoked.ENOKEYThe keyring doesn't exist.ENOMEMInsufficient memory to create a key.EPERMThetype started with a period ('.'). Key types that begin with a period are reserved to the implementation.EPERMtype was"keyring" and thedescription started with a period ('.'). Keyrings with descriptions (names) that begin with a period are reserved to the implementation.Linux.
Linux 2.6.10.
glibc does not provide a wrapper for this system call. A wrapper is provided in thelibkeyutils library. (The accompanying package provides the<keyutils.h> header file.) When employing the wrapper in that library, link with-lkeyutils.
The program below creates a key with the type, description, and payload specified in its command-line arguments, and links that key into the session keyring. The following shell session demonstrates the use of the program: $./a.out user mykey "Some payload"; Key ID is 64a4dca $grep '64a4dca' /proc/keys; 064a4dca I--Q--- 1 perm 3f010000 1000 1000 user mykey: 12Program source #include <keyutils.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { key_serial_t key; if (argc != 4) { fprintf(stderr, "Usage: %s type description payload\n", argv[0]); exit(EXIT_FAILURE); } key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), KEY_SPEC_SESSION_KEYRING); if (key == -1) { perror("add_key"); exit(EXIT_FAILURE); } printf("Key ID is %jx\n", (uintmax_t) key); exit(EXIT_SUCCESS); }keyctl(1),keyctl(2),request_key(2),keyctl(3),keyrings(7),keyutils(7),persistent-keyring(7),process-keyring(7),session-keyring(7),thread-keyring(7),user-keyring(7),user-session-keyring(7) The kernel source filesDocumentation/security/keys/core.rst andDocumentation/keys/request-key.rst (or, before Linux 4.13, in the filesDocumentation/security/keys.txt andDocumentation/security/keys-request-key.txt).
This page is part of theman-pages (Linux kernel and C library user-space interface documentation) project. Information about the project can be found at ⟨https://www.kernel.org/doc/man-pages/⟩. If you have a bug report for this manual page, see ⟨https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/CONTRIBUTING⟩. This page was obtained from the tarball man-pages-6.15.tar.gz fetched from ⟨https://mirrors.edge.kernel.org/pub/linux/docs/man-pages/⟩ on 2025-08-11. If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up- to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgLinux man-pages 6.15 2025-06-28add_key(2)Pages that refer to this page:keyctl(2), request_key(2), syscalls(2), keyctl(3), keyctl_capabilities(3), keyctl_chown(3), keyctl_clear(3), keyctl_describe(3), keyctl_get_keyring_ID(3), keyctl_get_persistent(3), keyctl_get_security(3), keyctl_instantiate(3), keyctl_invalidate(3), keyctl_join_session_keyring(3), keyctl_link(3), keyctl_move(3), keyctl_pkey_encrypt(3), keyctl_pkey_query(3), keyctl_pkey_sign(3), keyctl_read(3), keyctl_revoke(3), keyctl_search(3), keyctl_session_to_parent(3), keyctl_setperm(3), keyctl_set_reqkey_keyring(3), keyctl_set_timeout(3), keyctl_update(3), keyctl_watch_key(3), proc_pid_attr(5), asymmetric-key(7), keyrings(7), keyutils(7)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |