.\" Copyright, the authors of the Linux man-pages project
.\"
.\" SPDX-License-Identifier: Linux-man-pages-copyleft
.\"
.TH keyctl 2 2025-09-21 "Linux man-pages (unreleased)"
.SH NAME
keyctl \- manipulate the kernel's key management facility
.SH LIBRARY
Standard C library
.RI ( libc ,\~ \-lc )
.SH SYNOPSIS
.nf
.BR "#include <linux/keyctl.h>" "  /* Definition of " KEY* " constants */"
.BR "#include <sys/syscall.h>" "   /* Definition of " SYS_* " constants */"
.B #include <unistd.h>
.P
.BI "long syscall(SYS_keyctl, int " op ", ...);"
.fi
.SH DESCRIPTION
.BR keyctl ()
allows user-space programs to perform key manipulation.
.P
The operation performed by
.BR keyctl ()
is determined by the value of the
.I op
argument.
Each of these operations is wrapped by the
.I libkeyutils
library (provided by the
.I keyutils
package) into individual functions (see
.BR keyctl (3))
to permit the compiler to check types.
.P
The permitted values for
.I op
are:
.TP
.BR KEYCTL_GET_KEYRING_ID (2const)
.TQ
.BR KEYCTL_JOIN_SESSION_KEYRING (2const)
.TQ
.BR KEYCTL_UPDATE (2const)
.TQ
.BR KEYCTL_REVOKE (2const)
.TQ
.BR KEYCTL_CHOWN (2const)
.TQ
.BR KEYCTL_SETPERM (2const)
.TQ
.BR KEYCTL_DESCRIBE (2const)
.TQ
.BR KEYCTL_CLEAR (2const)
.TQ
.BR KEYCTL_LINK (2const)
.TQ
.BR KEYCTL_UNLINK (2const)
.TQ
.BR KEYCTL_SEARCH (2const)
.TQ
.BR KEYCTL_READ (2const)
.TQ
.BR KEYCTL_INSTANTIATE (2const)
.TQ
.BR KEYCTL_INSTANTIATE_IOV (2const)
.TQ
.BR KEYCTL_NEGATE (2const)
.TQ
.BR KEYCTL_REJECT (2const)
.TQ
.BR KEYCTL_SET_REQKEY_KEYRING (2const)
.TQ
.BR KEYCTL_SET_TIMEOUT (2const)
.TQ
.BR KEYCTL_ASSUME_AUTHORITY (2const)
.TQ
.BR KEYCTL_GET_SECURITY (2const)
.TQ
.BR KEYCTL_SESSION_TO_PARENT (2const)
.TQ
.BR KEYCTL_INVALIDATE (2const)
.TQ
.BR KEYCTL_GET_PERSISTENT (2const)
.TQ
.BR KEYCTL_DH_COMPUTE (2const)
.TQ
.BR KEYCTL_RESTRICT_KEYRING (2const)
.SH RETURN VALUE
For a successful call, the return value depends on the operation.
.P
On error, \-1 is returned, and
.I errno
is set to indicate the error.
.SH ERRORS
.TP
.B EACCES
The requested operation wasn't permitted.
.TP
.B EDQUOT
The key quota for the caller's user would be exceeded by creating a key or
linking it to the keyring.
.TP
.B EINVAL
size of the string (including the terminating null byte) specified in
.I arg3
(the key type)
or
.I arg4
(the key description)
exceeded the limit (32 bytes and 4096 bytes respectively).
.TP
.B EKEYEXPIRED
An expired key was found or specified.
.TP
.B EKEYREJECTED
A rejected key was found or specified.
.TP
.B EKEYREVOKED
A revoked key was found or specified.
.TP
.B ENOKEY
No matching key was found or an invalid key was specified.
.TP
.B ENOMEM
One of kernel memory allocation routines failed during the execution of the
syscall.
.TP
.B ENOTDIR
A key of keyring type was expected but the ID of a key with
a different type was provided.
.SH VERSIONS
A wrapper is provided in the
.I libkeyutils
library.
(The accompanying package provides the
.I <keyutils.h>
header file.)
However, rather than using this system call directly,
you probably want to use the various library functions
mentioned in the descriptions of individual operations above.
.SH STANDARDS
Linux.
.SH HISTORY
Linux 2.6.10.
.SH EXAMPLES
The program below provide subset of the functionality of the
.BR request\-key (8)
program provided by the
.I keyutils
package.
For informational purposes,
the program records various information in a log file.
.P
As described in
.BR request_key (2),
the
.BR request\-key (8)
program is invoked with command-line arguments that
describe a key that is to be instantiated.
The example program fetches and logs these arguments.
The program assumes authority to instantiate the requested key,
and then instantiates that key.
.P
The following shell session demonstrates the use of this program.
In the session,
we compile the program and then use it to temporarily replace the standard
.BR request\-key (8)
program.
(Note that temporarily disabling the standard
.BR request\-key (8)
program may not be safe on some systems.)
While our example program is installed,
we use the example program shown in
.BR request_key (2)
to request a key.
.P
.in +4n
.EX
.RB $ " cc \-o key_instantiate key_instantiate.c \-lkeyutils" ;
.RB $ " sudo mv /sbin/request\-key /sbin/request\-key.backup" ;
.RB $ " sudo cp key_instantiate /sbin/request\-key" ;
.RB $ " ./t_request_key user mykey somepayloaddata" ;
Key ID is 20d035bf
.RB $ " sudo mv /sbin/request\-key.backup /sbin/request\-key" ;
.EE
.in
.P
Looking at the log file created by this program,
we can see the command-line arguments supplied to our example program:
.P
.in +4n
.EX
.RB $ " cat /tmp/key_instantiate.log" ;
Time: Mon Nov  7 13:06:47 2016
\&
Command line arguments:
  argv[0]:            /sbin/request\-key
  operation:          create
  key_to_instantiate: 20d035bf
  UID:                1000
  GID:                1000
  thread_keyring:     0
  process_keyring:    0
  session_keyring:    256e6a6
\&
Key description:      user;1000;1000;3f010000;mykey
Auth key payload:     somepayloaddata
Destination keyring:  256e6a6
Auth key description: .request_key_auth;1000;1000;0b010000;20d035bf
.EE
.in
.P
The last few lines of the above output show that the example program
was able to fetch:
.IP \[bu] 3
the description of the key to be instantiated,
which included the name of the key
.RI ( mykey );
.IP \[bu]
the payload of the authorization key, which consisted of the data
.RI ( somepayloaddata )
passed to
.BR request_key (2);
.IP \[bu]
the destination keyring that was specified in the call to
.BR request_key (2);
and
.IP \[bu]
the description of the authorization key,
where we can see that the name of the authorization key matches
the ID of the key that is to be instantiated
.RI ( 20d035bf ).
.P
The example program in
.BR request_key (2)
specified the destination keyring as
.BR KEY_SPEC_SESSION_KEYRING .
By examining the contents of
.IR /proc/keys ,
we can see that this was translated to the ID of the destination keyring
.RI ( 0256e6a6 )
shown in the log output above;
we can also see the newly created key with the name
.I mykey
and ID
.IR 20d035bf .
.P
.in +4n
.EX
.RB $ " cat /proc/keys | egrep \[aq]mykey|256e6a6\[aq]" ;
0256e6a6 I\-\-Q\-\-\-  194 perm 3f030000  1000  1000 keyring  _ses: 3
20d035bf I\-\-Q\-\-\-    1 perm 3f010000  1000  1000 user     mykey: 16
.EE
.in
.SS Program source
\&
.\" SRC BEGIN (key_instantiate.c)
.EX
/* key_instantiate.c */
\&
#include <errno.h>
#include <keyutils.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <time.h>
\&
#ifndef KEY_SPEC_REQUESTOR_KEYRING
#define KEY_SPEC_REQUESTOR_KEYRING      (\-8)
#endif
\&
int
main(int argc, char *argv[])
{
    int           akp_size;       /* Size of auth_key_payload */
    int           auth_key;
    char          dbuf[256];
    char          auth_key_payload[256];
    char          *operation;
    FILE          *fp;
    gid_t         gid;
    uid_t         uid;
    time_t        t;
    key_serial_t  key_to_instantiate, dest_keyring;
    key_serial_t  thread_keyring, process_keyring, session_keyring;
\&
    if (argc != 8) {
        fprintf(stderr, "Usage: %s op key uid gid thread_keyring "
                        "process_keyring session_keyring\[rs]n", argv[0]);
        exit(EXIT_FAILURE);
    }
\&
    fp = fopen("/tmp/key_instantiate.log", "w");
    if (fp == NULL)
        exit(EXIT_FAILURE);
\&
    setbuf(fp, NULL);
\&
    t = time(NULL);
    fprintf(fp, "Time: %s\[rs]n", ctime(&t));
\&
    /*
     * The kernel passes a fixed set of arguments to the program
     * that it execs; fetch them.
     */
    operation = argv[1];
    key_to_instantiate = atoi(argv[2]);
    uid = atoi(argv[3]);
    gid = atoi(argv[4]);
    thread_keyring = atoi(argv[5]);
    process_keyring = atoi(argv[6]);
    session_keyring = atoi(argv[7]);
\&
    fprintf(fp, "Command line arguments:\[rs]n");
    fprintf(fp, "  argv[0]:            %s\[rs]n", argv[0]);
    fprintf(fp, "  operation:          %s\[rs]n", operation);
    fprintf(fp, "  key_to_instantiate: %jx\[rs]n",
            (uintmax_t) key_to_instantiate);
    fprintf(fp, "  UID:                %jd\[rs]n", (intmax_t) uid);
    fprintf(fp, "  GID:                %jd\[rs]n", (intmax_t) gid);
    fprintf(fp, "  thread_keyring:     %jx\[rs]n",
            (uintmax_t) thread_keyring);
    fprintf(fp, "  process_keyring:    %jx\[rs]n",
            (uintmax_t) process_keyring);
    fprintf(fp, "  session_keyring:    %jx\[rs]n",
            (uintmax_t) session_keyring);
    fprintf(fp, "\[rs]n");
\&
    /*
     * Assume the authority to instantiate the key named in argv[2].
     */
    if (keyctl(KEYCTL_ASSUME_AUTHORITY, key_to_instantiate) == \-1) {
        fprintf(fp, "KEYCTL_ASSUME_AUTHORITY failed: %s\[rs]n",
                strerror(errno));
        exit(EXIT_FAILURE);
    }
\&
    /*
     * Fetch the description of the key that is to be instantiated.
     */
    if (keyctl(KEYCTL_DESCRIBE, key_to_instantiate,
               dbuf, sizeof(dbuf)) == \-1) {
        fprintf(fp, "KEYCTL_DESCRIBE failed: %s\[rs]n", strerror(errno));
        exit(EXIT_FAILURE);
    }
\&
    fprintf(fp, "Key description:      %s\[rs]n", dbuf);
\&
    /*
     * Fetch the payload of the authorization key, which is
     * actually the callout data given to request_key().
     */
    akp_size = keyctl(KEYCTL_READ, KEY_SPEC_REQKEY_AUTH_KEY,
                      auth_key_payload, sizeof(auth_key_payload));
    if (akp_size == \-1) {
        fprintf(fp, "KEYCTL_READ failed: %s\[rs]n", strerror(errno));
        exit(EXIT_FAILURE);
    }
\&
    auth_key_payload[akp_size] = \[aq]\[rs]0\[aq];
    fprintf(fp, "Auth key payload:     %s\[rs]n", auth_key_payload);
\&
    /*
     * For interest, get the ID of the authorization key and
     * display it.
     */
    auth_key = keyctl(KEYCTL_GET_KEYRING_ID,
                      KEY_SPEC_REQKEY_AUTH_KEY);
    if (auth_key == \-1) {
        fprintf(fp, "KEYCTL_GET_KEYRING_ID failed: %s\[rs]n",
                strerror(errno));
        exit(EXIT_FAILURE);
    }
\&
    fprintf(fp, "Auth key ID:          %jx\[rs]n", (uintmax_t) auth_key);
\&
    /*
     * Fetch key ID for the request_key(2) destination keyring.
     */
    dest_keyring = keyctl(KEYCTL_GET_KEYRING_ID,
                          KEY_SPEC_REQUESTOR_KEYRING);
    if (dest_keyring == \-1) {
        fprintf(fp, "KEYCTL_GET_KEYRING_ID failed: %s\[rs]n",
                strerror(errno));
        exit(EXIT_FAILURE);
    }
\&
    fprintf(fp, "Destination keyring:  %jx\[rs]n", (uintmax_t) dest_keyring);
\&
    /*
     * Fetch the description of the authorization key.  This
     * allows us to see the key type, UID, GID, permissions,
     * and description (name) of the key.  Among other things,
     * we will see that the name of the key is a hexadecimal
     * string representing the ID of the key to be instantiated.
     */
    if (keyctl(KEYCTL_DESCRIBE, KEY_SPEC_REQKEY_AUTH_KEY,
               dbuf, sizeof(dbuf)) == \-1)
    {
        fprintf(fp, "KEYCTL_DESCRIBE failed: %s\[rs]n", strerror(errno));
        exit(EXIT_FAILURE);
    }
\&
    fprintf(fp, "Auth key description: %s\[rs]n", dbuf);
\&
    /*
     * Instantiate the key using the callout data that was supplied
     * in the payload of the authorization key.
     */
    if (keyctl(KEYCTL_INSTANTIATE, key_to_instantiate,
               auth_key_payload, akp_size + 1, dest_keyring) == \-1)
    {
        fprintf(fp, "KEYCTL_INSTANTIATE failed: %s\[rs]n",
                strerror(errno));
        exit(EXIT_FAILURE);
    }
\&
    exit(EXIT_SUCCESS);
}
.EE
.\" SRC END
.SH SEE ALSO
.ad l
.nh
.BR keyctl (1),
.BR add_key (2),
.BR request_key (2),
.\"     .BR find_key_by_type_and_name (3)
.\"     There is a man page, but this function seems not to exist
.BR keyctl (3),
.BR recursive_key_scan (3),
.BR recursive_session_key_scan (3),
.BR capabilities (7),
.BR credentials (7),
.BR keyrings (7),
.BR keyutils (7),
.BR persistent\-keyring (7),
.BR process\-keyring (7),
.BR session\-keyring (7),
.BR thread\-keyring (7),
.BR user\-keyring (7),
.BR user_namespaces (7),
.BR user\-session\-keyring (7),
.BR request\-key (8)
.P
The kernel source files under
.I Documentation/security/keys/
(or, before Linux 4.13, in the file
.IR Documentation/security/keys.txt ).