keyctl(1) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | KEY IDENTIFIERS | COMMAND SYNTAX | ERRORS | SEE ALSO | COLOPHON

KEYCTL(1)            Linux Key Management Utilities            KEYCTL(1)

NAME         top

       keyctl - key management facility control

SYNOPSIS         top

       keyctl --version
       keyctl supports [<cap> | --raw]
       keyctl id [<keyring>]
       keyctl show [-x] [<keyring>]
       keyctl add [-x] <type> <desc> <data> <keyring>
       keyctl padd [-x] <type> <desc> <keyring>
       keyctl request <type> <desc> [<dest_keyring>]
       keyctl request2 <type> <desc> <info> [<dest_keyring>]
       keyctl prequest2 <type> <desc> [<dest_keyring>]
       keyctl update [-x] <key> <data>
       keyctl pupdate [-x] <key>
       keyctl newring <name> <keyring>
       keyctl revoke <key>
       keyctl clear <keyring>
       keyctl link <key> <keyring>
       keyctl unlink <key> [<keyring>]
       keyctl move [-f] <key> <from_keyring> <to_keyring>
       keyctl search <keyring> <type> <desc> [<dest_keyring>]
       keyctl restrict_keyring <keyring> [<type> [<restriction>]]
       keyctl read <key>
       keyctl pipe <key>
       keyctl print <key>
       keyctl list <keyring>
       keyctl rlist <keyring>
       keyctl describe <keyring>
       keyctl rdescribe <keyring> [sep]
       keyctl chown <key> <uid>
       keyctl chgrp <key> <gid>
       keyctl setperm <key> <mask>
       keyctl new_session [<name>]
       keyctl session
       keyctl session - [<prog> <arg1> <arg2> ...]
       keyctl session <name> [<prog> <arg1> <arg2> ...]
       keyctl instantiate [-x] <key> <data> <keyring>
       keyctl pinstantiate [-x] <key> <keyring>
       keyctl negate <key> <timeout> <keyring>
       keyctl reject <key> <timeout> <error> <keyring>
       keyctl timeout <key> <timeout>
       keyctl security <key>
       keyctl reap [-v]
       keyctl purge <type>
       keyctl purge [-i] [-p] <type> <desc>
       keyctl purge -s <type> <desc>
       keyctl get_persistent <keyring> [<uid>]
       keyctl dh_compute <private> <prime> <base>
       keyctl dh_compute_kdf <private> <prime> <base> <output_length>
       <hash_type>
       keyctl dh_compute_kdf_oi [-x] <private> <prime> <base>
       <output_length> <hash_type>
       keyctl pkey_query <key> <pass> [k=v]*
       keyctl pkey_encrypt <key> <pass> <datafile> [k=v]* ><encfile>
       keyctl pkey_decrypt <key> <pass> <encfile> [k=v]* ><datafile>
       keyctl pkey_sign <key> <pass> <datafile> [k=v]* ><sigfile>
       keyctl pkey_decrypt <key> <pass> <datafile> <sigfile> [k=v]*
       keyctl watch [-f<filters>] <key>
       keyctl watch_add <fd> <key>
       keyctl watch_rm <fd> <key>
       keyctl watch_session [-f <filters>] [-n <name>] \
                       <notifylog> <gclog> <fd> <prog> [<arg1> <arg2>
       ...]

DESCRIPTION         top

       This program is used to control the key management facility in
       various ways using a variety of subcommands.

KEY IDENTIFIERS         top

       The key identifiers passed to or returned from keyctl are, in
       general, positive integers. There are, however, some special
       values with special meanings that can be passed as arguments:

       No key: 0

       Thread keyring: @t or -1
              Each thread may have its own keyring. This is searched
              first, before all others. The thread keyring is replaced
              by (v)fork, exec and clone.

       Process keyring: @p or -2
              Each process (thread group) may have its own keyring. This
              is shared between all members of a group and will be
              searched after the thread keyring. The process keyring is
              replaced by (v)fork and exec.

       Session keyring: @s or -3
              Each process subscribes to a session keyring that is
              inherited across (v)fork, exec and clone. This is searched
              after the process keyring. Session keyrings can be named
              and an extant keyring can be joined in place of a
              process's current session keyring.

       User specific keyring: @u or -4
              This keyring is shared between all the processes owned by
              a particular user. It isn't searched directly, but is
              normally linked to from the session keyring.

       User default session keyring: @us or -5
              This is the default session keyring for a particular user.
              Login processes that change to a particular user will bind
              to this session until another session is set.

       Group specific keyring: @g or -6
              This is a place holder for a group specific keyring, but
              is not actually implemented yet in the kernel.

       Assumed request_key authorisation key: @a or -7
              This selects the authorisation key provided to the
              request_key() helper to permit it to access the callers
              keyrings and instantiate the target key.

       Keyring by name: %:<name>
              A named keyring.  This will be searched for in the
              process's keyrings and in /proc/keys.

       Key by name: %<type>:<name>
              A named key of the given type.  This will be searched for
              in the process's keyrings and in /proc/keys.

COMMAND SYNTAX         top

       Any non-ambiguous shortening of a command name may be used in
       lieu of the full command name. This facility should not be used
       in scripting as new commands may be added in future that then
       cause ambiguity.

   Display the package version number
       keyctl --version

       This command prints the package version number and build date and
       exits:

              $ keyctl --version
              keyctl from keyutils-1.5.3 (Built 2011-08-24)

   Query subsystem capabilities
       keyctl supports
       keyctl supports --raw
       keyctl supports <cap>

       This command can list the available capabilities:

              $ keyctl supports
              have_capabilities=0
              have_persistent_keyrings=1
              have_dh_compute=1
              have_public_key=1

       produce a raw hex dump of the capabilities list:

              $ keyctl supports --raw
              ff0f

       or query a specific capability:

              $ keyctl supports pkey
              echo $?
              0

       which exits 0 if the capability is supported, 1 if it isn't and 3
       if the name is not recognised.  The capabilities supported are:

       capabilities
              The kernel supports capability querying.  If not, the
              other capabilities will be queried as best libkeyutils can
              manage.

       persistent_keyrings
              The kernel supports persistent keyrings.

       dh_compute
              The kernel supports Diffie-Hellman computation operations.

       public_key
              The kernel supports public key operations.

       big_key_type
              The kernel supports the big_key key type.

       key_invalidate
              The kernel supports the invalidate key operaiton.

       restrict_keyring
              The kernel supports the restrict_keyring operation.

       move_key
              The kernel supports the move key operation.

       ns_keyring_name
              Keyring names are segregated according to the user-
              namespace in which the keyrings are created.

       ns_key_tag
              Keys can get tagged with namespace tags, allowing keys
              with the same type and description, but different
              namespaces to coexist in the same keyring.  Tagging is
              done automatically according to the key type.

   Show actual key or keyring ID
       keyctl id [<key>]

       This command looks up the real ID of a key or keyring from the
       identifier given, which is typically a symbolic ID such as "@s"
       indicating the session keyring, but can also be a numeric ID or
       "%type:desc" notation.  If a special keyring is specified that
       isn't created yet, an error will be given rather than causing
       that keyring to be created.

   Show process keyrings
       keyctl show [-x] [<keyring>]

       By default this command recursively shows what keyrings a process
       is subscribed to and what keys and keyrings they contain.  If a
       keyring is specified then that keyring will be dumped instead.
       If -x is specified then the keyring IDs will be dumped in hex
       instead of decimal.

   Add a key to a keyring
       keyctl add [-x] <type> <desc> <data> <keyring>
       keyctl padd [-x] <type> <desc> <keyring>

       This command creates a key of the specified type and description;
       instantiates it with the given data and attaches it to the
       specified keyring. It then prints the new key's ID on stdout:

              $ keyctl add user mykey stuff @u
              26

       The padd variant of the command reads the data from stdin rather
       than taking it from the command line:

              $ echo -n stuff | keyctl padd user mykey @u
              26

       If -x is given, then the data is hex-decoded with whitespace
       being discarded.

   Request a key
       keyctl request <type> <desc> [<dest_keyring>]
       keyctl request2 <type> <desc> <info> [<dest_keyring>]
       keyctl prequest2 <type> <desc> [<dest_keyring>]

       These three commands request the lookup of a key of the given
       type and description. The process's keyrings will be searched,
       and if a match is found the matching key's ID will be printed to
       stdout; and if a destination keyring is given, the key will be
       added to that keyring also.

       If there is no key, the first command will simply return the
       error ENOKEY and fail. The second and third commands will create
       a partial key with the type and description, and call out to
       /sbin/request-key with that key and the extra information
       supplied. This will then attempt to instantiate the key in some
       manner, such that a valid key is obtained.

       The third command is like the second, except that the callout
       information is read from stdin rather than being passed on the
       command line.

       If a valid key is obtained, the ID will be printed and the key
       attached as if the original search had succeeded.

       If there wasn't a valid key obtained, a temporary negative key
       will be attached to the destination keyring if given and the
       error "Requested key not available" will be given.

              $ keyctl request2 user debug:hello wibble
              23
              $ echo -n wibble | keyctl prequest2 user debug:hello
              23
              $ keyctl request user debug:hello
              23

   Update a key
       keyctl update [-x] <key> <data>
       keyctl pupdate [-x] <key>

       This command replaces the data attached to a key with a new set
       of data. If the type of the key doesn't support update then error
       "Operation not supported" will be returned.

              $ keyctl update 23 zebra

       The pupdate variant of the command reads the data from stdin
       rather than taking it from the command line:

              $ echo -n zebra | keyctl pupdate 23
              $ echo 616263313233 | keyctl pupdate -x 23

       If -x is given, then the data is hex-decoded with whitespace
       being discarded.

   Create a keyring
       keyctl newring <name> <keyring>

       This command creates a new keyring of the specified name and
       attaches it to the specified keyring. The ID of the new keyring
       will be printed to stdout if successful.

              $ keyctl newring squelch @us
              27

   Revoke a key
       keyctl revoke <key>

       This command marks a key as being revoked. Any further operations
       on that key (apart from unlinking it) will return error "Key has
       been revoked".

              $ keyctl revoke 26
              $ keyctl describe 26
              keyctl_describe: Key has been revoked

   Clear a keyring
       keyctl clear <keyring>

       This command unlinks all the keys attached to the specified
       keyring. Error "Not a directory" will be returned if the key
       specified is not a keyring.

              $ keyctl clear 27

   Link a key to a keyring
       keyctl link <key> <keyring>

       This command makes a link from the key to the keyring if there's
       enough capacity to do so. Error "Not a directory" will be
       returned if the destination is not a keyring. Error "Permission
       denied" will be returned if the key doesn't have link permission
       or the keyring doesn't have write permission. Error "File table
       overflow" will be returned if the keyring is full. Error
       "Resource deadlock avoided" will be returned if an attempt was
       made to introduce a recursive link.

              $ keyctl link 23 27
              $ keyctl link 27 27
              keyctl_link: Resource deadlock avoided

   Unlink a key from a keyring or the session keyring tree
       keyctl unlink <key> [<keyring>]

       If the keyring is specified, this command removes a link to the
       key from the keyring. Error "Not a directory" will be returned if
       the destination is not a keyring. Error "Permission denied" will
       be returned if the keyring doesn't have write permission. Error
       "No such file or directory" will be returned if the key is not
       linked to by the keyring.

       If the keyring is not specified, this command performs a depth-
       first search of the session keyring tree and removes all the
       links to the nominated key that it finds (and that it is
       permitted to remove).  It prints the number of successful unlinks
       before exiting.

              $ keyctl unlink 23 27

   Move a key between keyrings.
       keyctl move  [-f] <key> <from_keyring> <to_keyring>

       This command moves a key from one keyring to another, atomically
       combining "keyctl unlink <key> <from_keyring>" and "keyctl link
       <key> <to_keyring>".

       If the "-f" flag is present, any matching key will be displaced
       from "to_keyring"; if not present, the command will fail with the
       error message "File exists" if the key would otherwise displace
       another key from "to_keyring".

              $ keyctl move 23 27 29
              $ keyctl move -f 71 @u @s

   Search a keyring
       keyctl search <keyring> <type> <desc> [<dest_keyring>]

       This command non-recursively searches a keyring for a key of a
       particular type and description. If found, the ID of the key will
       be printed on stdout and the key will be attached to the
       destination keyring if present. Error "Requested key not
       available" will be returned if the key is not found.

              $ keyctl search @us user debug:hello
              23
              $ keyctl search @us user debug:bye
              keyctl_search: Requested key not available

   Restrict a keyring
       keyctl restrict_keyring <keyring> [<type> [<restriction>]]

       This command limits the linkage of keys to the given keyring
       using a provided restriction scheme. The scheme is associated
       with a given key type, with further details provided in the
       restriction option string.  Options typically contain a
       restriction name possibly followed by key ids or other data
       relevant to the restriction. If no restriction scheme is
       provided, the keyring will reject all links.

              $ keyctl restrict_keyring $1 asymmetric builtin_trusted

   Read a key
       keyctl read <key>
       keyctl pipe <key>
       keyctl print <key>

       These commands read the payload of a key. "read" prints it on
       stdout as a hex dump, "pipe" dumps the raw data to stdout and
       "print" dumps it to stdout directly if it's entirely printable or
       as a hexdump preceded by ":hex:" if not.

       If the key type does not support reading of the payload, then
       error "Operation not supported" will be returned.

              $ keyctl read 26
              1 bytes of data in key:
              62
              $ keyctl print 26
              b
              $ keyctl pipe 26
              b$

   List a keyring
       keyctl list <keyring>
       keyctl rlist <keyring>

       These commands list the contents of a key as a keyring. "list"
       pretty prints the contents and "rlist" just produces a space-
       separated list of key IDs.

       No attempt is made to check that the specified keyring is a
       keyring.

              $ keyctl list @us
              2 keys in keyring:
                     22: vrwsl----------  4043    -1 keyring: _uid.4043
                     23: vrwsl----------  4043  4043 user: debug:hello
              $ keyctl rlist @us
              22 23

   Describe a key
       keyctl describe <keyring>
       keyctl rdescribe <keyring> [sep]

       These commands fetch a description of a keyring. "describe"
       pretty prints the description in the same fashion as the "list"
       command; "rdescribe" prints the raw data returned from the
       kernel.

              $ keyctl describe @us
                     -5: vrwsl----------  4043    -1 keyring: _uid_ses.4043
              $ keyctl rdescribe @us
              keyring;4043;-1;3f1f0000;_uid_ses.4043

       The raw string is "<type>;<uid>;<gid>;<perms>;<description>",
       where uid and gid are the decimal user and group IDs, perms is
       the permissions mask in hex, type and description are the type
       name and description strings (neither of which will contain
       semicolons).

   Change the access controls on a key
       keyctl chown <key> <uid>
       keyctl chgrp <key> <gid>

       These two commands change the UID and GID associated with
       evaluating a key's permissions mask. The UID also governs which
       quota a key is taken out of.

       The chown command is not currently supported; attempting it will
       earn the error "Operation not supported" at best.

       For non-superuser users, the GID may only be set to the process's
       GID or a GID in the process's groups list. The superuser may set
       any GID it likes.

              $ sudo keyctl chown 27 0
              keyctl_chown: Operation not supported
              $ sudo keyctl chgrp 27 0

   Set the permissions mask on a key
       keyctl setperm <key> <mask>

       This command changes the permission control mask on a key. The
       mask may be specified as a hex number if it begins "0x", an octal
       number if it begins "0" or a decimal number otherwise.

       The hex numbers are a combination of:

              Possessor UID       GID       Other     Permission Granted
              ========  ========  ========  ========  ==================
              01000000  00010000  00000100  00000001  View
              02000000  00020000  00000200  00000002  Read
              04000000  00040000  00000400  00000004  Write
              08000000  00080000  00000800  00000008  Search
              10000000  00100000  00001000  00000010  Link
              20000000  00200000  00002000  00000020  Set Attribute
              3f000000  003f0000  00003f00  0000003f  All

       View permits the type, description and other parameters of a key
       to be viewed.

       Read permits the payload (or keyring list) to be read if
       supported by the type.

       Write permits the payload (or keyring list) to be modified or
       updated.

       Search on a key permits it to be found when a keyring to which it
       is linked is searched.

       Link permits a key to be linked to a keyring.

       Set Attribute permits a key to have its owner, group membership,
       permissions mask and timeout changed.

              $ keyctl setperm 27 0x1f1f1f00

   Start a new session with fresh keyrings
       keyctl session
       keyctl session - [<prog> <arg1> <arg2> ...]
       keyctl session <name> [<prog> <arg1> <arg2> ...]

       These commands join or create a new keyring and then run a shell
       or other program with that keyring as the session key.

       The variation with no arguments just creates an anonymous session
       keyring and attaches that as the session keyring; it then exec's
       $SHELL.

       The variation with a dash in place of a name creates an anonymous
       session keyring and attaches that as the session keyring; it then
       exec's the supplied command, or $SHELL if one isn't supplied.

       The variation with a name supplied creates or joins the named
       keyring and attaches that as the session keyring; it then exec's
       the supplied command, or $SHELL if one isn't supplied.

              $ keyctl rdescribe @s
              keyring;4043;-1;3f1f0000;_uid_ses.4043

              $ keyctl session
              Joined session keyring: 28

              $ keyctl rdescribe @s
              keyring;4043;4043;3f1f0000;_ses.24082

              $ keyctl session -
              Joined session keyring: 29
              $ keyctl rdescribe @s
              keyring;4043;4043;3f1f0000;_ses.24139

              $ keyctl session - keyctl rdescribe @s
              Joined session keyring: 30
              keyring;4043;4043;3f1f0000;_ses.24185

              $ keyctl session fish
              Joined session keyring: 34
              $ keyctl rdescribe @s
              keyring;4043;4043;3f1f0000;fish

              $ keyctl session fish keyctl rdesc @s
              Joined session keyring: 35
              keyring;4043;4043;3f1f0000;fish

   Instantiate a key
       keyctl instantiate [-x] <key> <data> <keyring>
       keyctl pinstantiate [-x] <key> <keyring>
       keyctl negate <key> <timeout> <keyring>
       keyctl reject <key> <timeout> <error> <keyring>

       These commands are used to attach data to a partially set up key
       (as created by the kernel and passed to /sbin/request-key).
       "instantiate" marks a key as being valid and attaches the data as
       the payload.  "negate" and "reject" mark a key as invalid and
       sets a timeout on it so that it'll go away after a while.  This
       prevents a lot of quickly sequential requests from slowing the
       system down overmuch when they all fail, as all subsequent
       requests will then fail with error "Requested key not found" (if
       negated) or the specified error (if rejected) until the negative
       key has expired.

       Reject's error argument can either be a UNIX error number or one
       of 'rejected', 'expired' or 'revoked'.

       The newly instantiated key will be attached to the specified
       keyring.

       These commands may only be run from the program run by
       request-key - a special authorisation key is set up by the kernel
       and attached to the request-key's session keyring. This special
       key is revoked once the key to which it refers has been
       instantiated one way or another.

              $ keyctl instantiate $1 "Debug $3" $4
              $ keyctl negate $1 30 $4
              $ keyctl reject $1 30 64 $4

       The pinstantiate variant of the command reads the data from stdin
       rather than taking it from the command line:

              $ echo -n "Debug $3" | keyctl pinstantiate $1 $4

       If -x is given, then the data is hex-decoded with whitespace
       being discarded:

              $ echo 01 02 03 04 | keyctl pinstantiate -x $1 $4

   Set the expiry time on a key
       keyctl timeout <key> <timeout>

       This command is used to set the timeout on a key, or clear an
       existing timeout if the value specified is zero. The timeout is
       given as a number of seconds into the future.

              $ keyctl timeout $1 45

   Retrieve a key's security context
       keyctl security <key>

       This command is used to retrieve a key's LSM security context.
       The label is printed on stdout.

              $ keyctl security @s
              unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

   Give the parent process a new session keyring
       keyctl new_session [<name>]

       This command is used to give the invoking process (typically a
       shell) a new session keyring, discarding its old session keyring.
       If a name is given, the keyring is given that name, otherwise it
       will be given a name of "_ses" and will not be manually joinable.

              $  keyctl session foo
              Joined session keyring: 723488146
              $  keyctl show
              Session Keyring
                     -3 --alswrv      0     0  keyring: foo
              $  keyctl new_session
              490511412
              $  keyctl show
              Session Keyring
                     -3 --alswrv      0     0  keyring: _ses

       Note that this affects the parent of the process that invokes the
       system call, and so may only affect processes with matching
       credentials.  Furthermore, the change does not take effect till
       the parent process next transitions from kernel space to user
       space - typically when the wait() system call returns.

   Remove dead keys from the session keyring tree
       keyctl reap

       This command performs a depth-first search of the caller's
       session keyring tree and attempts to unlink any key that it finds
       that is inaccessible due to expiry, revocation, rejection or
       negation.  It does not attempt to remove live keys that are
       unavailable simply due to a lack of granted permission.

       A key that is designated reapable will only be removed from a
       keyring if the caller has Write permission on that keyring, and
       only keyrings that grant Search permission to the caller will be
       searched.

       The command prints the number of keys reaped before it exits.  If
       the -v flag is passed then the reaped keys are listed as they're
       being reaped, together with the success or failure of the unlink.

   Remove matching keys from the session keyring tree
       keyctl purge <type>
       keyctl purge [-i] [-p] <type> <desc>
       keyctl purge -s <type> <desc>

       These commands perform a depth-first search to find matching keys
       in the caller's session keyring tree and attempts to unlink them.
       The number of keys successfully unlinked is printed at the end.

       The keyrings must grant Read and View permission to the caller to
       be searched, and the keys to be removed must also grant View
       permission.  Keys can only be removed from keyrings that grant
       Write permission.

       The first variant purges all keys of the specified type.

       The second variant purges all keys of the specified type that
       also match the given description literally.  The -i flag allows a
       case-independent match and the -p flag allows a prefix match.

       The third variant purges all keys of the specified type and
       matching description using the key type's comparator in the
       kernel to match the description.  This permits the key type to
       match a key with a variety of descriptions.

   Get persistent keyring
       keyctl get_persistent <keyring> [<uid>]

       This command gets the persistent keyring for either the current
       UID or the specified UID and attaches it to the nominated
       keyring.  The persistent keyring's ID will be printed on stdout.

       The kernel will create the keyring if it doesn't exist and every
       time this command is called, will reset the expiration timeout on
       the keyring to the value in:

              /proc/sys/kernel/keys/persistent_keyring_expiry

       (by default three days).  Should the timeout be reached, the
       persistent keyring will be removed and everything it pins can
       then be garbage collected.

       If a UID other than the process's real or effective UIDs is
       specified, then an error will be given if the process does not
       have the CAP_SETUID capability.

   Compute a Diffie-Hellman shared secret or public key
       keyctl dh_compute <private> <prime> <base>

       This command computes either a Diffie-Hellman shared secret or
       the public key corresponding to the provided private key using
       the payloads of three keys. The computation is:

              base ^ private (mod prime)

       The three inputs must be user keys with read permission. If the
       provided base key contains the shared generator value, the public
       key will be computed.  If the provided base key contains the
       remote public key value, the shared secret will be computed.

       The result is printed to stdout as a hex dump.

              $ keyctl dh_compute $1 $2 $3
              8 bytes of data in result:
              00010203 04050607

   Compute a Diffie-Hellman shared secret and derive key material
       keyctl dh_compute_kdf <private> <prime> <base> <output_length>
       <hash_type>

       This command computes a Diffie-Hellman shared secret and derives
       key material from the shared secret using a key derivation
       function (KDF).  The shared secret is derived as outlined above
       and is input to the KDF using the specified hash type. The hash
       type must point to a hash name known to the kernel crypto API.

       The operation derives key material of the length specified by the
       caller.

       The operation is compliant to the specification of SP800-56A.

       The result is printed to stdout as hex dump.

   Compute a Diffie-Hellman shared secret and apply KDF with other input

       keyctl dh_compute_kdf_oi [-x] <private> <prime> <base>
       <output_length> <hash_type>

       This command is identical to the command dh_compute_kdf to
       generate a Diffie-Hellman shared secret followed by a key
       derivation operation. This command allows the caller to provide
       the other input data (OI data) compliant to SP800-56A via stdin.

       If -x is given, then the data passed to stdin is hex-decoded with
       whitespace being discarded.

   Perform public-key operations with an asymmetric key
       keyctl pkey_query <key> <pass> [k=v]*
       keyctl pkey_encrypt <key> <pass> <datafile> [k=v]* > <encfile>
       keyctl pkey_decrypt <key> <pass> <encfile> [k=v]* > <datafile>
       keyctl pkey_sign <key> <pass> <datafile> [k=v]* > <sigfile>
       keyctl pkey_verify <key> <pass> <datafile> <sigfile> [k=v]*

       These commands query an asymmetric key, encrypt data with it,
       decrypt the encrypted data, generate a signature over some data
       and verify that signature.  For encrypt, decrypt and sign, the
       resulting data is written to stdout; verify reads the data and
       the signature files and compares them.

       [!] NOTE that the data is of very limited capacity, with no more
       bits than the size of the key.  For signatures, the caller is
       expected to digest the actual data and pass in the result of the
       digest as the datafile.  The name of the digest should be
       specified on the end of the command line as "hash=<name>".

       The key ID indicates the key to use; pass is a placeholder for
       future password provision and should be "0" for the moment;
       datafile is the unencrypted data to be encrypted, signed or to
       have its signature checked; encfile is a file containing
       encrypted data; and sigfile is a file containing a signature.

       A list of parameters in "key[=val]" form can be included on the
       end of the command line.  These specify things like the digest
       algorithm used ("hash=<name>") or the encoding form
       ("enc=<type>").

              k=`keyctl padd asymmetric "" @s <key.pkcs8.der`
              keyctl pkey_query $k 0 enc=pkcs1 hash=sha256
              keyctl pkey_encrypt $k 0 foo.hash enc=pkcs1 >foo.enc
              keyctl pkey_decrypt $k 0 foo.enc enc=pkcs1 >foo.hash
              keyctl pkey_sign $k 0 foo.hash enc=pkcs1 hash=sha256 >foo.sig
              keyctl pkey_verify $k 0 foo.hash foo.sig enc=pkcs1 hash=sha256

       See asymmetric-key(7) for more information.

   Change notifications
       keyctl watch [-f<filters>] <key>
       keyctl watch_session [-f <filters>] [-n <name>] \
                       <notifylog> <gclog> <fd> <prog> [<arg1> <arg2>
       ...]  keyctl watch_add <fd> <key>
       keyctl watch_rm <fd> <key>

       The watch command watches a single key, printing notifications to
       stdout until the key is destroyed.  Filters can be employed to
       cut down the events that will be delivered.  The filter string is
       a series of letters, each one of which enables a particular event
       subtype:

              i - The key has been instantiated
              p - The key has been updated
              l - A link has been added to a keyring
              n - A link has been removed from a keyring
              c - A keyring has been cleared
              r - A key has been revoked
              v - A key has been invalidated
              s - A key has had its attributes changed

       The output of the command looks like:

              <keyid> <event> [<aux>]

       Where keyid is the primary subject of the notification, op is the
       event and aux is the secondary key if there is one (such as link
       where the primary key is the keyring secondary key is the key
       being linked in to it).  For example:

              255913279 link 340681059
              255913279 clr

       An additional notication is generated when a key being watched is
       garbage collected, e.g.:

              255913279 gc

       The watch_session command creates a new session keyring, with
       name name if given, watches it for notifications and runs program
       prog with it.  The program is given the specified arguments.

       A second process is forked off to monitor the notifications.  The
       output from that is directed to the files notifylog for most
       notifications and gclog for key removal notifications (which are
       asynchronous and may be deferred).

       The watch_queue(7) device is exported to the program attached to
       fd number fd.  This can be passed by the other two commands.

       The watch_add command adds a watch on key to the watch_queue
       attached to fd as exported by watch_session and the watch_rm
       caommand removes it.  A watch_queue can handle multiple keys and
       even non-keys sources as well.

ERRORS         top

       There are a number of common errors returned by this program:

       "Not a directory" - a key wasn't a keyring.

       "Requested key not found" - the looked for key isn't available.

       "Key has been revoked" - a revoked key was accessed.

       "Key has expired" - an expired key was accessed.

       "Permission denied" - permission was denied by a UID/GID/mask
       combination.

SEE ALSO         top

       keyctl(1), keyctl(2), request_key(2), keyctl(3),
       request-key.conf(5), keyrings(7), request-key(8)

COLOPHON         top

       This page is part of the keyutils (key management utilities)
       project.  Information about the project can be found at [unknown
       -- if you know, please contact man-pages@man7.org] If you have a
       bug report for this manual page, send it to
       keyrings@linux-nfs.org.  This page was obtained from the
       project's upstream Git repository
       ⟨http://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git⟩
       on 2024-06-14.  (At that time, the date of the most recent commit
       that was found in the repository was 2023-03-20.)  If you
       discover any rendering problems in this HTML version of the page,
       or you believe there is a better or more up-to-date source for
       the page, or you have corrections or improvements to the
       information in this COLOPHON (which is not part of the original
       manual page), send a mail to man-pages@man7.org

Linux                          20 Feb 2014                     KEYCTL(1)

Pages that refer to this page: keyctl(1)systemd-ask-password(1)add_key(2)keyctl(2)request_key(2)keyctl(3)keyctl_capabilities(3)keyctl_chown(3)keyctl_clear(3)keyctl_describe(3)keyctl_dh_compute(3)keyctl_get_keyring_ID(3)keyctl_get_persistent(3)keyctl_get_security(3)keyctl_instantiate(3)keyctl_invalidate(3)keyctl_join_session_keyring(3)keyctl_link(3)keyctl_move(3)keyctl_pkey_encrypt(3)keyctl_pkey_query(3)keyctl_pkey_sign(3)keyctl_read(3)keyctl_restrict_keyring(3)keyctl_revoke(3)keyctl_search(3)keyctl_session_to_parent(3)keyctl_setperm(3)keyctl_set_reqkey_keyring(3)keyctl_set_timeout(3)keyctl_update(3)keyctl_watch_key(3)crypttab(5)request-key.conf(5)asymmetric-key(7)keyrings(7)keyutils(7)persistent-keyring(7)process-keyring(7)session-keyring(7)thread-keyring(7)user-keyring(7)user-session-keyring(7)cryptsetup-luksAddKey(8)cryptsetup-luksResume(8)cryptsetup-open(8)e4crypt(8)pam_keyinit(8)request-key(8)