add_key man page

add_key — add a key to the kernel's key management facility


#include <keyutils.h>

key_serial_t add_key(const char *type, const char *description,
 const void *payload, size_t plen,
 key_serial_t keyring);


add_key() asks the kernel to create or update a key of the given type and description, instantiate it with the payload of length plen, and to attach it to the nominated keyring and to return its serial number.

The key type may reject the data if it's in the wrong format or in some other way invalid.

If the destination keyring already contains a key that matches the specified type and description, then, if the key type supports it, that key will be updated rather than a new key being created; if not, a new key will be created and it will displace the link to the extant key from the keyring.

The destination keyring serial number may be that of a valid keyring to which the caller has write permission, or it may be a special keyring ID:

This specifies the caller's thread-specific keyring.
This specifies the caller's process-specific keyring.
This specifies the caller's session-specific keyring.
This specifies the caller's UID-specific keyring.
This specifies the caller's UID-session keyring.

Key Types

There are a number of key types available in the core key management code, and these can be specified to this function:

Keys of the user-defined key type may contain a blob of arbitrary data, and the description may be any valid string, though it is preferred that the description be prefixed with a string representing the service to which the key is of interest and a colon (for instance “afs:mykey”).
Keyrings are special key types that may contain links to sequences of other keys of any type. If this interface is used to create a keyring, then a NULL payload should be specified, and plen should be zero.

Return Value

On success add_key() returns the serial number of the key it created or updated. On error, the value -1 will be returned and errno will have been set to an appropriate error.


The keyring wasn't available for modification by the user.
The payload data was invalid.
The keyring has expired.
The keyring has been revoked.
The keyring doesn't exist.
Insufficient memory to create a key.
The key quota for this user would be exceeded by creating this key or linking it to the keyring.


Although this is a Linux system call, it is not present in libc but can be found rather in libkeyutils. When linking, -lkeyutils should be specified to the linker.

See Also

keyctl(1), keyctl(2), request_key(2), keyctl(3), keyrings(7)

Referenced By

keyctl(2), keyctl(3), keyctl_chown(3), keyctl_clear(3), keyctl_describe(3), keyctl_get_keyring_ID(3), keyctl_get_persistent(3), keyctl_get_security(3), keyctl_instantiate(3), keyctl_invalidate(3), keyctl_join_session_keyring(3), keyctl_link(3), keyctl_read(3), keyctl_revoke(3), keyctl_search(3), keyctl_session_to_parent(3), keyctl_setperm(3), keyctl_set_reqkey_keyring(3), keyctl_set_timeout(3), keyctl_update(3), keyutils(7), proc(5), request_key(2), syscalls(2).

Explore man page connections for add_key(2).