add_key(2) — Linux manual page


add_key(2)                 System Calls Manual                add_key(2)

NAME         top

       add_key - add a key to the kernel's key management facility

LIBRARY         top

       Standard C library (libc, -lc)

SYNOPSIS         top

       #include <keyutils.h>

       key_serial_t add_key(const char *type, const char *description,
                            const void payload[.plen], size_t plen,
                            key_serial_t keyring);

       Note: There is no glibc wrapper for this system call; see NOTES.

DESCRIPTION         top

       add_key() creates or updates a key of the given type and
       description, instantiates it with the payload of length plen,
       attaches it to the nominated keyring, and returns the key's
       serial number.

       The key may be rejected if the provided data is in the wrong
       format or it is invalid in some other way.

       If the destination keyring already contains a key that matches
       the specified type and description, then, if the key type
       supports it, that key will be updated rather than a new key being
       created; if not, a new key (with a different ID) will be created
       and it will displace the link to the extant key from the keyring.

       The destination keyring serial number may be that of a valid
       keyring for which the caller has write permission.
       Alternatively, it may be one of the following special keyring

              This specifies the caller's thread-specific keyring

              This specifies the caller's process-specific keyring

              This specifies the caller's session-specific keyring

              This specifies the caller's UID-specific keyring

              This specifies the caller's UID-session keyring

   Key types
       The key type is a string that specifies the key's type.
       Internally, the kernel defines a number of key types that are
       available in the core key management code.  Among the types that
       are available for user-space use and can be specified as the type
       argument to add_key() are the following:

              Keyrings are special key types that may contain links to
              sequences of other keys of any type.  If this interface is
              used to create a keyring, then payload should be NULL and
              plen should be zero.

       "user" This is a general purpose key type whose payload may be
              read and updated by user-space applications.  The key is
              kept entirely within kernel memory.  The payload for keys
              of this type is a blob of arbitrary data of up to 32,767

       "logon" (since Linux 3.3)
              This key type is essentially the same as "user", but it
              does not permit the key to read.  This is suitable for
              storing payloads that you do not want to be readable from
              user space.

       This key type vets the description to ensure that it is qualified
       by a "service" prefix, by checking to ensure that the description
       contains a ':' that is preceded by other characters.

       "big_key" (since Linux 3.13)
              This key type is similar to "user", but may hold a payload
              of up to 1 MiB.  If the key payload is large enough, then
              it may be stored encrypted in tmpfs (which can be swapped
              out) rather than kernel memory.

       For further details on these key types, see keyrings(7).

RETURN VALUE         top

       On success, add_key() returns the serial number of the key it
       created or updated.  On error, -1 is returned and errno is set to
       indicate the error.

ERRORS         top

       EACCES The keyring wasn't available for modification by the user.

       EDQUOT The key quota for this user would be exceeded by creating
              this key or linking it to the keyring.

       EFAULT One or more of type, description, and payload points
              outside process's accessible address space.

       EINVAL The size of the string (including the terminating null
              byte) specified in type or description exceeded the limit
              (32 bytes and 4096 bytes respectively).

       EINVAL The payload data was invalid.

       EINVAL type was "logon" and the description was not qualified
              with a prefix string of the form "service:".

              The keyring has expired.

              The keyring has been revoked.

       ENOKEY The keyring doesn't exist.

       ENOMEM Insufficient memory to create a key.

       EPERM  The type started with a period ('.').  Key types that
              begin with a period are reserved to the implementation.

       EPERM  type was "keyring" and the description started with a
              period ('.').  Keyrings with descriptions (names) that
              begin with a period are reserved to the implementation.

STANDARDS         top


HISTORY         top

       Linux 2.6.10.

NOTES         top

       glibc does not provide a wrapper for this system call.  A wrapper
       is provided in the libkeyutils library.  (The accompanying
       package provides the <keyutils.h> header file.)  When employing
       the wrapper in that library, link with -lkeyutils.

EXAMPLES         top

       The program below creates a key with the type, description, and
       payload specified in its command-line arguments, and links that
       key into the session keyring.  The following shell session
       demonstrates the use of the program:

           $ ./a.out user mykey "Some payload"
           Key ID is 64a4dca
           $ grep '64a4dca' /proc/keys
           064a4dca I--Q---    1 perm 3f010000  1000  1000 user    mykey: 12

   Program source

       #include <keyutils.h>
       #include <stdint.h>
       #include <stdio.h>
       #include <stdlib.h>
       #include <string.h>

       main(int argc, char *argv[])
           key_serial_t key;

           if (argc != 4) {
               fprintf(stderr, "Usage: %s type description payload\n",

           key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]),
           if (key == -1) {

           printf("Key ID is %jx\n", (uintmax_t) key);


SEE ALSO         top

       keyctl(1), keyctl(2), request_key(2), keyctl(3), keyrings(7),
       keyutils(7), persistent-keyring(7), process-keyring(7),
       session-keyring(7), thread-keyring(7), user-keyring(7),

       The kernel source files Documentation/security/keys/core.rst and
       Documentation/keys/request-key.rst (or, before Linux 4.13, in the
       files Documentation/security/keys.txt and

COLOPHON         top

       This page is part of the man-pages (Linux kernel and C library
       user-space interface documentation) project.  Information about
       the project can be found at 
       ⟨⟩.  If you have a bug report
       for this manual page, see
       This page was obtained from the tarball man-pages-6.9.1.tar.gz
       fetched from
       ⟨⟩ on
       2024-06-26.  If you discover any rendering problems in this HTML
       version of the page, or you believe there is a better or more up-
       to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not
       part of the original manual page), send a mail to

Linux man-pages 6.9.1          2024-06-15                     add_key(2)

Pages that refer to this page: keyctl(2)request_key(2)syscalls(2)keyctl(3)keyctl_capabilities(3)keyctl_chown(3)keyctl_clear(3)keyctl_describe(3)keyctl_get_keyring_ID(3)keyctl_get_persistent(3)keyctl_get_security(3)keyctl_instantiate(3)keyctl_invalidate(3)keyctl_join_session_keyring(3)keyctl_link(3)keyctl_move(3)keyctl_pkey_encrypt(3)keyctl_pkey_query(3)keyctl_pkey_sign(3)keyctl_read(3)keyctl_revoke(3)keyctl_search(3)keyctl_session_to_parent(3)keyctl_setperm(3)keyctl_set_reqkey_keyring(3)keyctl_set_timeout(3)keyctl_update(3)keyctl_watch_key(3)proc_pid_attr(5)asymmetric-key(7)keyrings(7)keyutils(7)