Manpages - keyutils.7

keyutils - in-kernel key management utilities

The keyutils package is a library and a set of utilities for accessing the kernel keyrings facility.

A header file is supplied to provide the definitions and declarations required to access the library:

#include <keyutils.h>

To link with the library, the following:

-lkeyutils

should be specified to the linker.

Three system calls are provided:

*add_key*(2)

Supply a new key to the kernel.

*request_key*(2)

Find an existing key for use, or, optionally, create one if one does not exist.

*keyctl*(2)

Control a key in various ways. The library provides a variety of wrappers around this system call and those should be used rather than calling it directly.

See the *add_key*(2), *request_key*(2), and *keyctl*(2) manual pages for more information.

The *keyctl*() wrappers are listed on the *keyctl*(3) manual page.

A program is provided to interact with the kernel facility by a number of subcommands, e.g.:

keyctl add user foo bar @s

See the *keyctl*(1) manual page for information on that.

The kernel has the ability to upcall to userspace to fabricate new keys. This can be triggered by *request_key*(), but userspace is better off using *add_key*() instead if it possibly can.

The upcalling mechanism is usually routed via the *request-key*(8) program. What this does with any particular key is configurable in:

/etc/request-key.conf
etc/request-key.d

See the *request-key.conf*(5) and the *request-key*(8) manual pages for more information.

*keyctl*(1), *keyctl*(3), *keyrings*(7), *persistent-keyring*(7), *process-keyring*(7), *session-keyring*(7), *thread-keyring*(7), *user-keyring*(7), *user-session-keyring*(7), *pam_keyinit*(8)