{ "mode": "man", "parameter": "KEYCTL", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/KEYCTL/1/json", "generated": "2026-06-15T14:38:17Z", "synopsis": "keyctl --version\nkeyctl supports []\nkeyctl show [-x] []\nkeyctl add \nkeyctl padd \nkeyctl request []\nkeyctl request2 []\nkeyctl prequest2 []\nkeyctl update \nkeyctl pupdate \nkeyctl newring \nkeyctl revoke \nkeyctl clear \nkeyctl link \nkeyctl unlink []\nkeyctl move [-f] \nkeyctl search []\nkeyctl restrictkeyring [ []]\nkeyctl read \nkeyctl pipe \nkeyctl print \nkeyctl list \nkeyctl rlist \nkeyctl describe \nkeyctl rdescribe [sep]\nkeyctl chown \nkeyctl chgrp \nkeyctl setperm \nkeyctl newsession\nkeyctl session\nkeyctl session - [ ...]\nkeyctl session [ ...]\nkeyctl instantiate \nkeyctl pinstantiate \nkeyctl negate \nkeyctl reject \nkeyctl timeout \nkeyctl security \nkeyctl reap [-v]\nkeyctl purge \nkeyctl purge [-i] [-p] \nkeyctl purge -s \nkeyctl getpersistent []\nkeyctl dhcompute \nkeyctl dhcomputekdf \nkeyctl dhcomputekdfoi \nkeyctl pkeyquery [k=v]*\nkeyctl pkeyencrypt [k=v]* >\nkeyctl pkeydecrypt [k=v]* >\nkeyctl pkeysign [k=v]* >\nkeyctl pkeydecrypt [k=v]*", "sections": { "NAME": { "content": "keyctl - key management facility control\n", "subsections": [] }, "SYNOPSIS": { "content": "keyctl --version\nkeyctl supports []\nkeyctl show [-x] []\nkeyctl add \nkeyctl padd \nkeyctl request []\nkeyctl request2 []\nkeyctl prequest2 []\nkeyctl update \nkeyctl pupdate \nkeyctl newring \nkeyctl revoke \nkeyctl clear \nkeyctl link \nkeyctl unlink []\nkeyctl move [-f] \nkeyctl search []\nkeyctl restrictkeyring [ []]\nkeyctl read \nkeyctl pipe \nkeyctl print \nkeyctl list \nkeyctl rlist \nkeyctl describe \nkeyctl rdescribe [sep]\nkeyctl chown \nkeyctl chgrp \nkeyctl setperm \nkeyctl newsession\nkeyctl session\nkeyctl session - [ ...]\nkeyctl session [ ...]\nkeyctl instantiate \nkeyctl pinstantiate \nkeyctl negate \nkeyctl reject \nkeyctl timeout \nkeyctl security \nkeyctl reap [-v]\nkeyctl purge \nkeyctl purge [-i] [-p] \nkeyctl purge -s \nkeyctl getpersistent []\nkeyctl dhcompute \nkeyctl dhcomputekdf \nkeyctl dhcomputekdfoi \nkeyctl pkeyquery [k=v]*\nkeyctl pkeyencrypt [k=v]* >\nkeyctl pkeydecrypt [k=v]* >\nkeyctl pkeysign [k=v]* >\nkeyctl pkeydecrypt [k=v]*\n", "subsections": [] }, "DESCRIPTION": { "content": "This program is used to control the key management facility in various ways using a variety\nof subcommands.\n", "subsections": [] }, "KEY IDENTIFIERS": { "content": "The key identifiers passed to or returned from keyctl are, in general, positive integers.\nThere are, however, some special values with special meanings that can be passed as argu‐\nments:\n\nNo key: 0\n\nThread keyring: @t or -1\nEach thread may have its own keyring. This is searched first, before all others. The\nthread keyring is replaced by (v)fork, exec and clone.\n\nProcess keyring: @p or -2\nEach process (thread group) may have its own keyring. This is shared between all mem‐\nbers of a group and will be searched after the thread keyring. The process keyring is\nreplaced by (v)fork and exec.\n\nSession keyring: @s or -3\nEach process subscribes to a session keyring that is inherited across (v)fork, exec\nand clone. This is searched after the process keyring. Session keyrings can be named\nand an extant keyring can be joined in place of a process's current session keyring.\n\nUser specific keyring: @u or -4\nThis keyring is shared between all the processes owned by a particular user. It isn't\nsearched directly, but is normally linked to from the session keyring.\n\nUser default session keyring: @us or -5\nThis is the default session keyring for a particular user. Login processes that change\nto a particular user will bind to this session until another session is set.\n\nGroup specific keyring: @g or -6\nThis is a place holder for a group specific keyring, but is not actually implemented\nyet in the kernel.\n\nAssumed requestkey authorisation key: @a or -7\nThis selects the authorisation key provided to the requestkey() helper to permit it\nto access the callers keyrings and instantiate the target key.\n\nKeyring by name: %:\nA named keyring. This will be searched for in the process's keyrings and in\n/proc/keys.\n\nKey by name: %:\nA named key of the given type. This will be searched for in the process's keyrings\nand in /proc/keys.\n", "subsections": [] }, "COMMAND SYNTAX": { "content": "Any non-ambiguous shortening of a command name may be used in lieu of the full command name.\nThis facility should not be used in scripting as new commands may be added in future that\nthen cause ambiguity.\n", "subsections": [ { "name": "Display the package version number", "content": "" }, { "name": "keyctl --version", "content": "This command prints the package version number and build date and exits:\n\n$ keyctl --version\nkeyctl from keyutils-1.5.3 (Built 2011-08-24)\n" }, { "name": "Query subsystem capabilities", "content": "keyctl supports []\n\nThis command can list the available capabilities:\n\n$ keyctl supports\nhavecapabilities=0\nhavepersistentkeyrings=1\nhavedhcompute=1\nhavepublickey=1\n\nAnd it can query a capability:\n\n$ keyctl supports pkey\necho $?\n0\n\nwhich returns 0 if the capability is supported, 1 if it isn't and 3 if the name is not recog‐\nnised. The capabilities supported are:\n" }, { "name": "capabilities", "content": "The kernel supports capability querying. If not, the other capabilities will be\nqueried as best libkeyutils can manage.\n\npersistentkeyrings\nThe kernel supports persistent keyrings.\n\ndhcompute\nThe kernel supports Diffie-Hellman computation operations.\n\npublickey\nThe kernel supports public key operations.\n\nbigkeytype\nThe kernel supports the bigkey key type.\n\nkeyinvalidate\nThe kernel supports the invalidate key operaiton.\n\nrestrictkeyring\nThe kernel supports the restrictkeyring operation.\n\nmovekey\nThe kernel supports the move key operation.\n\n" }, { "name": "Show process keyrings", "content": "" }, { "name": "keyctl show [-x] []", "content": "By default this command recursively shows what keyrings a process is subscribed to and what\nkeys and keyrings they contain. If a keyring is specified then that keyring will be dumped\ninstead. If -x is specified then the keyring IDs will be dumped in hex instead of decimal.\n" }, { "name": "Add a key to a keyring", "content": "keyctl add \nkeyctl padd \n\nThis command creates a key of the specified type and description; instantiates it with the\ngiven data and attaches it to the specified keyring. It then prints the new key's ID on std‐\nout:\n\n$ keyctl add user mykey stuff @u\n26\n\nThe padd variant of the command reads the data from stdin rather than taking it from the com‐\nmand line:\n\n$ echo -n stuff | keyctl padd user mykey @u 26\n" }, { "name": "Request a key", "content": "keyctl request []\nkeyctl request2 []\nkeyctl prequest2 []\n\nThese three commands request the lookup of a key of the given type and description. The\nprocess's keyrings will be searched, and if a match is found the matching key's ID will be\nprinted to stdout; and if a destination keyring is given, the key will be added to that\nkeyring also.\n\nIf there is no key, the first command will simply return the error ENOKEY and fail. The sec‐\nond and third commands will create a partial key with the type and description, and call out\nto /sbin/request-key with that key and the extra information supplied. This will then attempt\nto instantiate the key in some manner, such that a valid key is obtained.\n\nThe third command is like the second, except that the callout information is read from stdin\nrather than being passed on the command line.\n\nIf a valid key is obtained, the ID will be printed and the key attached as if the original\nsearch had succeeded.\n\nIf there wasn't a valid key obtained, a temporary negative key will be attached to the desti‐\nnation keyring if given and the error \"Requested key not available\" will be given.\n\n$ keyctl request2 user debug:hello wibble\n23\n$ echo -n wibble | keyctl prequest2 user debug:hello\n23\n$ keyctl request user debug:hello\n23\n" }, { "name": "Update a key", "content": "keyctl update \nkeyctl pupdate \n\nThis command replaces the data attached to a key with a new set of data. If the type of the\nkey doesn't support update then error \"Operation not supported\" will be returned.\n\n$ keyctl update 23 zebra\n\nThe pupdate variant of the command reads the data from stdin rather than taking it from the\ncommand line:\n\n$ echo -n zebra | keyctl pupdate 23\n" }, { "name": "Create a keyring", "content": "keyctl newring \n\nThis command creates a new keyring of the specified name and attaches it to the specified\nkeyring. The ID of the new keyring will be printed to stdout if successful.\n\n$ keyctl newring squelch @us\n27\n" }, { "name": "Revoke a key", "content": "keyctl revoke \n\nThis command marks a key as being revoked. Any further operations on that key (apart from un‐\nlinking it) will return error \"Key has been revoked\".\n\n$ keyctl revoke 26\n$ keyctl describe 26\nkeyctldescribe: Key has been revoked\n" }, { "name": "Clear a keyring", "content": "keyctl clear \n\nThis command unlinks all the keys attached to the specified keyring. Error \"Not a directory\"\nwill be returned if the key specified is not a keyring.\n\n$ keyctl clear 27\n" }, { "name": "Link a key to a keyring", "content": "keyctl link \n\nThis command makes a link from the key to the keyring if there's enough capacity to do so.\nError \"Not a directory\" will be returned if the destination is not a keyring. Error \"Permis‐\nsion denied\" will be returned if the key doesn't have link permission or the keyring doesn't\nhave write permission. Error \"File table overflow\" will be returned if the keyring is full.\nError \"Resource deadlock avoided\" will be returned if an attempt was made to introduce a re‐\ncursive link.\n\n$ keyctl link 23 27\n$ keyctl link 27 27\nkeyctllink: Resource deadlock avoided\n" }, { "name": "Unlink a key from a keyring or the session keyring tree", "content": "keyctl unlink []\n\nIf the keyring is specified, this command removes a link to the key from the keyring. Error\n\"Not a directory\" will be returned if the destination is not a keyring. Error \"Permission de‐\nnied\" will be returned if the keyring doesn't have write permission. Error \"No such file or\ndirectory\" will be returned if the key is not linked to by the keyring.\n\nIf the keyring is not specified, this command performs a depth-first search of the session\nkeyring tree and removes all the links to the nominated key that it finds (and that it is\npermitted to remove). It prints the number of successful unlinks before exiting.\n\n$ keyctl unlink 23 27\n" }, { "name": "Move a key between keyrings.", "content": "keyctl move [-f] \n\nThis command moves a key from one keyring to another, atomically combining \"keyctl unlink\n \" and \"keyctl link \".\n\nIf the \"-f\" flag is present, any matching key will be displaced from \"tokeyring\"; if not\npresent, the command will fail with the error message \"File exists\" if the key would other‐\nwise displace another key from \"tokeyring\".\n\n$ keyctl move 23 27 29\n$ keyctl move -f 71 @u @s\n" }, { "name": "Search a keyring", "content": "keyctl search []\n\nThis command non-recursively searches a keyring for a key of a particular type and descrip‐\ntion. If found, the ID of the key will be printed on stdout and the key will be attached to\nthe destination keyring if present. Error \"Requested key not available\" will be returned if\nthe key is not found.\n\n$ keyctl search @us user debug:hello\n23\n$ keyctl search @us user debug:bye\nkeyctlsearch: Requested key not available\n" }, { "name": "Restrict a keyring", "content": "keyctl restrictkeyring [ []]\n\nThis command limits the linkage of keys to the given keyring using a provided restriction\nscheme. The scheme is associated with a given key type, with further details provided in the\nrestriction option string. Options typically contain a restriction name possibly followed by\nkey ids or other data relevant to the restriction. If no restriction scheme is provided, the\nkeyring will reject all links.\n\n$ keyctl restrictkeyring $1 asymmetric builtintrusted\n" }, { "name": "Read a key", "content": "keyctl read \nkeyctl pipe \nkeyctl print \n\nThese commands read the payload of a key. \"read\" prints it on stdout as a hex dump, \"pipe\"\ndumps the raw data to stdout and \"print\" dumps it to stdout directly if it's entirely print‐\nable or as a hexdump preceded by \":hex:\" if not.\n\nIf the key type does not support reading of the payload, then error \"Operation not supported\"\nwill be returned.\n\n$ keyctl read 26\n1 bytes of data in key:\n62\n$ keyctl print 26\nb\n$ keyctl pipe 26\n$\n" }, { "name": "List a keyring", "content": "keyctl list \nkeyctl rlist \n\nThese commands list the contents of a key as a keyring. \"list\" pretty prints the contents and\n\"rlist\" just produces a space-separated list of key IDs.\n\nNo attempt is made to check that the specified keyring is a keyring.\n\n$ keyctl list @us\n2 keys in keyring:\n22: vrwsl---------- 4043 -1 keyring: uid.4043\n23: vrwsl---------- 4043 4043 user: debug:hello\n$ keyctl rlist @us\n22 23\n" }, { "name": "Describe a key", "content": "keyctl describe \nkeyctl rdescribe [sep]\n\nThese commands fetch a description of a keyring. \"describe\" pretty prints the description in\nthe same fashion as the \"list\" command; \"rdescribe\" prints the raw data returned from the\nkernel.\n\n$ keyctl describe @us\n-5: vrwsl---------- 4043 -1 keyring: uidses.4043\n$ keyctl rdescribe @us\nkeyring;4043;-1;3f1f0000;uidses.4043\n\nThe raw string is \";;;;\", where uid and gid are the deci‐\nmal user and group IDs, perms is the permissions mask in hex, type and description are the\ntype name and description strings (neither of which will contain semicolons).\n" }, { "name": "Change the access controls on a key", "content": "keyctl chown \nkeyctl chgrp \n\nThese two commands change the UID and GID associated with evaluating a key's permissions\nmask. The UID also governs which quota a key is taken out of.\n\nThe chown command is not currently supported; attempting it will earn the error \"Operation\nnot supported\" at best.\n\nFor non-superuser users, the GID may only be set to the process's GID or a GID in the\nprocess's groups list. The superuser may set any GID it likes.\n\n$ sudo keyctl chown 27 0\nkeyctlchown: Operation not supported\n$ sudo keyctl chgrp 27 0\n" }, { "name": "Set the permissions mask on a key", "content": "keyctl setperm \n\nThis command changes the permission control mask on a key. The mask may be specified as a hex\nnumber if it begins \"0x\", an octal number if it begins \"0\" or a decimal number otherwise.\n\nThe hex numbers are a combination of:\n\nPossessor UID GID Other Permission Granted\n======== ======== ======== ======== ==================\n01000000 00010000 00000100 00000001 View\n02000000 00020000 00000200 00000002 Read\n04000000 00040000 00000400 00000004 Write\n08000000 00080000 00000800 00000008 Search\n10000000 00100000 00001000 00000010 Link\n20000000 00200000 00002000 00000020 Set Attribute\n3f000000 003f0000 00003f00 0000003f All\n\nView permits the type, description and other parameters of a key to be viewed.\n\nRead permits the payload (or keyring list) to be read if supported by the type.\n\nWrite permits the payload (or keyring list) to be modified or updated.\n\nSearch on a key permits it to be found when a keyring to which it is linked is searched.\n\nLink permits a key to be linked to a keyring.\n\nSet Attribute permits a key to have its owner, group membership, permissions mask and timeout\nchanged.\n\n$ keyctl setperm 27 0x1f1f1f00\n" }, { "name": "Start a new session with fresh keyrings", "content": "" }, { "name": "keyctl session", "content": "keyctl session - [ ...]\nkeyctl session [ ...]\n\nThese commands join or create a new keyring and then run a shell or other program with that\nkeyring as the session key.\n\nThe variation with no arguments just creates an anonymous session keyring and attaches that\nas the session keyring; it then exec's $SHELL.\n\nThe variation with a dash in place of a name creates an anonymous session keyring and at‐\ntaches that as the session keyring; it then exec's the supplied command, or $SHELL if one\nisn't supplied.\n\nThe variation with a name supplied creates or joins the named keyring and attaches that as\nthe session keyring; it then exec's the supplied command, or $SHELL if one isn't supplied.\n\n$ keyctl rdescribe @s\nkeyring;4043;-1;3f1f0000;uidses.4043\n\n$ keyctl session\nJoined session keyring: 28\n\n$ keyctl rdescribe @s\nkeyring;4043;4043;3f1f0000;ses.24082\n\n$ keyctl session -\nJoined session keyring: 29\n$ keyctl rdescribe @s\nkeyring;4043;4043;3f1f0000;ses.24139\n\n$ keyctl session - keyctl rdescribe @s\nJoined session keyring: 30\nkeyring;4043;4043;3f1f0000;ses.24185\n\n$ keyctl session fish\nJoined session keyring: 34\n$ keyctl rdescribe @s\nkeyring;4043;4043;3f1f0000;fish\n\n$ keyctl session fish keyctl rdesc @s\nJoined session keyring: 35\nkeyring;4043;4043;3f1f0000;fish\n" }, { "name": "Instantiate a key", "content": "keyctl instantiate \nkeyctl pinstantiate \nkeyctl negate \nkeyctl reject \n\nThese commands are used to attach data to a partially set up key (as created by the kernel\nand passed to /sbin/request-key). \"instantiate\" marks a key as being valid and attaches the\ndata as the payload. \"negate\" and \"reject\" mark a key as invalid and sets a timeout on it so\nthat it'll go away after a while. This prevents a lot of quickly sequential requests from\nslowing the system down overmuch when they all fail, as all subsequent requests will then\nfail with error \"Requested key not found\" (if negated) or the specified error (if rejected)\nuntil the negative key has expired.\n\nReject's error argument can either be a UNIX error number or one of 'rejected', 'expired' or\n'revoked'.\n\nThe newly instantiated key will be attached to the specified keyring.\n\nThese commands may only be run from the program run by request-key - a special authorisation\nkey is set up by the kernel and attached to the request-key's session keyring. This special\nkey is revoked once the key to which it refers has been instantiated one way or another.\n\n$ keyctl instantiate $1 \"Debug $3\" $4\n$ keyctl negate $1 30 $4\n$ keyctl reject $1 30 64 $4\n\nThe pinstantiate variant of the command reads the data from stdin rather than taking it from\nthe command line:\n\n$ echo -n \"Debug $3\" | keyctl pinstantiate $1 $4\n" }, { "name": "Set the expiry time on a key", "content": "keyctl timeout \n\nThis command is used to set the timeout on a key, or clear an existing timeout if the value\nspecified is zero. The timeout is given as a number of seconds into the future.\n\n$ keyctl timeout $1 45\n" }, { "name": "Retrieve a key's security context", "content": "keyctl security \n\nThis command is used to retrieve a key's LSM security context. The label is printed on std‐\nout.\n\n$ keyctl security @s\nunconfinedu:unconfinedr:unconfinedt:s0-s0:c0.c1023\n" }, { "name": "Give the parent process a new session keyring", "content": "keyctl newsession\n\nThis command is used to give the invoking process (typically a shell) a new session keyring,\ndiscarding its old session keyring.\n\n$ keyctl session foo\nJoined session keyring: 723488146\n$ keyctl show\nSession Keyring\n-3 --alswrv 0 0 keyring: foo\n$ keyctl newsession\n490511412\n$ keyctl show\nSession Keyring\n-3 --alswrv 0 0 keyring: ses\n\nNote that this affects the parent of the process that invokes the system call, and so may\nonly affect processes with matching credentials. Furthermore, the change does not take ef‐\nfect till the parent process next transitions from kernel space to user space - typically\nwhen the wait() system call returns.\n" }, { "name": "Remove dead keys from the session keyring tree", "content": "" }, { "name": "keyctl reap", "content": "This command performs a depth-first search of the caller's session keyring tree and attempts\nto unlink any key that it finds that is inaccessible due to expiry, revocation, rejection or\nnegation. It does not attempt to remove live keys that are unavailable simply due to a lack\nof granted permission.\n\nA key that is designated reapable will only be removed from a keyring if the caller has Write\npermission on that keyring, and only keyrings that grant Search permission to the caller will\nbe searched.\n\nThe command prints the number of keys reaped before it exits. If the -v flag is passed then\nthe reaped keys are listed as they're being reaped, together with the success or failure of\nthe unlink.\n" }, { "name": "Remove matching keys from the session keyring tree", "content": "keyctl purge \nkeyctl purge [-i] [-p] \nkeyctl purge -s \n\nThese commands perform a depth-first search to find matching keys in the caller's session\nkeyring tree and attempts to unlink them. The number of keys successfully unlinked is\nprinted at the end.\n\nThe keyrings must grant Read and View permission to the caller to be searched, and the keys\nto be removed must also grant View permission. Keys can only be removed from keyrings that\ngrant Write permission.\n\nThe first variant purges all keys of the specified type.\n\nThe second variant purges all keys of the specified type that also match the given descrip‐\ntion literally. The -i flag allows a case-independent match and the -p flag allows a prefix\nmatch.\n\nThe third variant purges all keys of the specified type and matching description using the\nkey type's comparator in the kernel to match the description. This permits the key type to\nmatch a key with a variety of descriptions.\n" }, { "name": "Get persistent keyring", "content": "keyctl getpersistent []\n\nThis command gets the persistent keyring for either the current UID or the specified UID and\nattaches it to the nominated keyring. The persistent keyring's ID will be printed on stdout.\n\nThe kernel will create the keyring if it doesn't exist and every time this command is called,\nwill reset the expiration timeout on the keyring to the value in:\n\n/proc/sys/kernel/keys/persistentkeyringexpiry\n\n(by default three days). Should the timeout be reached, the persistent keyring will be re‐\nmoved and everything it pins can then be garbage collected.\n\nIf a UID other than the process's real or effective UIDs is specified, then an error will be\ngiven if the process does not have the CAPSETUID capability.\n" }, { "name": "Compute a Diffie-Hellman shared secret or public key", "content": "keyctl dhcompute \n\nThis command computes either a Diffie-Hellman shared secret or the public key corresponding\nto the provided private key using the payloads of three keys. The computation is:\n\nbase ^ private (mod prime)\n\nThe three inputs must be user keys with read permission. If the provided base key contains\nthe shared generator value, the public key will be computed. If the provided base key con‐\ntains the remote public key value, the shared secret will be computed.\n\nThe result is printed to stdout as a hex dump.\n\n$ keyctl dhcompute $1 $2 $3\n8 bytes of data in result:\n00010203 04050607\n" }, { "name": "Compute a Diffie-Hellman shared secret and derive key material", "content": "keyctl dhcomputekdf \n\nThis command computes a Diffie-Hellman shared secret and derives key material from the shared\nsecret using a key derivation function (KDF). The shared secret is derived as outlined above\nand is input to the KDF using the specified hash type. The hash type must point to a hash\nname known to the kernel crypto API.\n\nThe operation derives key material of the length specified by the caller.\n\nThe operation is compliant to the specification of SP800-56A.\n\nThe result is printed to stdout as hex dump.\n" }, { "name": "Compute a Diffie-Hellman shared secret and apply KDF with other input", "content": "keyctl dhcomputekdfoi \n\nThis command is identical to the command dhcomputekdf to generate a Diffie-Hellman shared\nsecret followed by a key derivation operation. This command allows the caller to provide the\nother input data (OI data) compliant to SP800-56A via stdin.\n" }, { "name": "Perform public-key operations with an asymmetric key", "content": "keyctl pkeyquery [k=v]*\nkeyctl pkeyencrypt [k=v]* > \nkeyctl pkeydecrypt [k=v]* > \nkeyctl pkeysign [k=v]* > \nkeyctl pkeyverify [k=v]*\n\nThese commands query an asymmetric key, encrypt data with it, decrypt the encrypted data,\ngenerate a signature over some data and verify that signature. For encrypt, decrypt and\nsign, the resulting data is written to stdout; verify reads the data and the signature files\nand compares them.\n\n[!] NOTE that the data is of very limited capacity, with no more bits than the size of the\nkey. For signatures, the caller is expected to digest the actual data and pass in the result\nof the digest as the datafile. The name of the digest should be specified on the end of the\ncommand line as \"hash=\".\n\nThe key ID indicates the key to use; pass is a placeholder for future password provision and\nshould be \"0\" for the moment; datafile is the unencrypted data to be encrypted, signed or to\nhave its signature checked; encfile is a file containing encrypted data; and sigfile is a\nfile containing a signature.\n\nA list of parameters in \"key[=val]\" form can be included on the end of the command line.\nThese specify things like the digest algorithm used (\"hash=\") or the encoding form\n(\"enc=\").\n\nk=`keyctl padd asymmetric \"\" @s foo.enc\nkeyctl pkeydecrypt $k 0 foo.enc enc=pkcs1 >foo.hash\nkeyctl pkeysign $k 0 foo.hash enc=pkcs1 hash=sha256 >foo.sig\nkeyctl pkeyverify $k 0 foo.hash foo.sig enc=pkcs1 hash=sha256\n\nSee asymmetric-key(7) for more information.\n\n" } ] }, "ERRORS": { "content": "There are a number of common errors returned by this program:\n\n\"Not a directory\" - a key wasn't a keyring.\n\n\"Requested key not found\" - the looked for key isn't available.\n\n\"Key has been revoked\" - a revoked key was accessed.\n\n\"Key has expired\" - an expired key was accessed.\n\n\"Permission denied\" - permission was denied by a UID/GID/mask combination.\n", "subsections": [] }, "SEE ALSO": { "content": "keyctl(1), keyctl(2), requestkey(2), keyctl(3), request-key.conf(5), keyrings(7),\nrequest-key(8)\n\n\n\nLinux 20 Feb 2014 KEYCTL(1)", "subsections": [] } }, "summary": "keyctl - key management facility control", "flags": [], "examples": [], "see_also": [ { "name": "keyctl", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/keyctl/1/json" }, { "name": "keyctl", "section": "2", "url": "https://www.chedong.com/phpMan.php/man/keyctl/2/json" }, { "name": "requestkey", "section": "2", "url": "https://www.chedong.com/phpMan.php/man/requestkey/2/json" }, { "name": "keyctl", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/keyctl/3/json" }, { "name": "request-key.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/request-key.conf/5/json" }, { "name": "keyrings", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/keyrings/7/json" }, { "name": "request-key", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/request-key/8/json" } ], "tldr": { "source": "official", "description": "Manipulate the Linux kernel keyring.", "examples": [ { "description": "List keys in a specific keyring", "command": "keyctl list {{target_keyring}}" }, { "description": "List current keys in the user default session", "command": "keyctl list {{@us}}" }, { "description": "Store a key in a specific keyring", "command": "keyctl add {{type_keyring}} {{key_name}} {{key_value}} {{target_keyring}}" }, { "description": "Store a key with its value from `stdin`", "command": "echo -n {{key_value}} | keyctl padd {{type_keyring}} {{key_name}} {{target_keyring}}" }, { "description": "Put a timeout on a key", "command": "keyctl timeout {{key_name}} {{timeout_in_seconds}}" }, { "description": "Read a key and format it as a hex-dump if not printable", "command": "keyctl read {{key_name}}" }, { "description": "Read a key and format as-is", "command": "keyctl pipe {{key_name}}" }, { "description": "Revoke a key and prevent any further action on it", "command": "keyctl revoke {{key_name}}" } ] } }