keyrings(7) Miscellaneous Information Manual keyrings(7) keyrings - Linux , , . , ; add_key(2), request_key(2) keyctl(2). . keyctl(1), keyctl(3) keyutils(7). : (ID) , . , (payload) . , , . () -- , ( ), . . (payload) , . , , , , . request_key(2). , . Much as files do, each key has an owning user ID, an owning group ID, and a security label. Each key also has a set of permissions, though there are more than for a normal UNIX file, and there is an additional category--possessor--beyond the usual user, group, and other (see Possession, below). , , . ID . . , EKEYEXPIRED. , , ( ) ENOKEY. . , . , . : "keyring" -- , ( ), . -- , . Keyrings with descriptions (names) that begin with a period ('.') are reserved to the implementation. "user" . . . (blob) 32767 . The description may be any valid string, though it is preferred that it start with a colon-delimited prefix representing the service to which the key is of interest (for instance "afs:mykey"). "logon" ( Linux 3.3) This key type is essentially the same as "user", but it does not provide reading (i.e., the keyctl(2) KEYCTL_READ operation), meaning that the key payload is never visible from user space. This is suitable for storing username-password pairs that should not be readable from user space. The description of a "logon" key must start with a non-empty colon-delimited prefix whose purpose is to identify the service to which the key belongs. (Note that this differs from keys of the "user" type, where the inclusion of a prefix is recommended but is not enforced.) "big_key" ( Linux 3.13) This key type is similar to the "user" key type, but it may hold a payload of up to 1 MiB in size. This key type is useful for purposes such as holding Kerberos ticket caches. tmpfs, , ( . , tmpfs). Linux 4.8, tmpfs , , . , , . Key type names that begin with a period ('.') are reserved to the implementation. , , ( ). . UNIX, . ( ) : , . , . , , . . , . . , -- . . keyctl_clear(3), keyctl_link(3), keyctl_search(3) keyctl_unlink(3). , , . : . , -- , . . , . . , , , . / : session-keyring(7) ( ), process-keyring(7) ( ) thread-keyring(7) ( ). ID add_key(2), keyctl(2) request_key(2) KEY_SPEC_SESSION_KEYRING, KEY_SPEC_PROCESS_KEYRING KEY_SPEC_THREAD_KEYRING, , . UID, , , : user-keyring(7) user-session-keyring(7). UID. ID add_key(2), keyctl(2) request_key(2) KEY_SPEC_USER_KEYRING KEY_SPEC_USER_SESSION_KEYRING, , . pam_keyinit(8) . UID persistent-keyring(7). UID, , , . , , cron(8) , . , . There are special keyrings owned by the kernel that can anchor keys for special purposes. An example of this is the system keyring used for holding encryption keys for module signature verification. , , . << >> , GID, , , , , . , KEY_SPEC_GROUP_KEYRING. (possession) . : (1) , , . (2) session-keyring(7), process-keyring(7) thread-keyring(7), . (3) - , . (4) , (3) . (5) ( request_key(2)), (1) . , . , set-user-ID, , , , . , UID GID . , pam_keyinit(8) user-keyring(7), . , : o o , o o . . . , : , ID ID . , ID ID GID GID . , ID, ID . : , , . , . , : . , ( ). : . : (), . . : , ( ). ( ): . : , . . , , . , . , Linux(LSM), . LSM ; keyctl_get_security(3). keyctl_chown(3), keyctl_describe(3), keyctl_get_security(3), keyctl_setperm(3) selinux(8). Linux , . request_key(2) ( - ). : (1) The process keyrings are searched in the following order: the thread-keyring(7) if it exists, the process-keyring(7) if it exists, and then either the session-keyring(7) if it exists or the user-session-keyring(7) if that exists. (2) , 9upcall) request_key(2), request_key(2). (3) << >>: , , . (4) , . (5) , . (6) , ; ENOKEY. , (3) (6). request_key(2) keyctl_search(3). , request_key(2), callout_info, . . , request-key(8), , , . , . , -, . request_key(2), keyctl_assume_authority(3), keyctl_instantiate(3), keyctl_negate(3), keyctl_reject(3), request-key(8) request-key.conf(5). Linux , . : -- DNS (upcall), , DNS . AF_RXRPC kAFS -- AF_RXRPC AFS , . AF_RXRPC kAFS. NFS -- NFS . CIFS -- CIFS . . . : Kerberos MIT Kerberos 5 (libkrb5) , , , cron(8). /proc , . /proc/keys ( Linux 2.6.10) , , . , . , ( , ). LSM - , . ( ): (1) (2) (3)(4) (5) (6) (7) (8) (9) 009a2028 I--Q--- 1 perm 3f010000 1000 1000 user krb_ccache:primary: 12 1806c4ba I--Q--- 1 perm 3f010000 1000 1000 keyring _pid: 2 25d3a08f I--Q--- 1 perm 1f3f0000 1000 65534 keyring _uid_ses.1000: 1 28576bd8 I--Q--- 3 perm 3f010000 1000 1000 keyring _krb: 1 2c546d21 I--Q--- 190 perm 3f030000 1000 1000 keyring _ses: 2 30a4e0be I------ 4 2d 1f030000 1000 65534 keyring _persistent.1000: 1 32100fab I--Q--- 4 perm 1f3f0000 1000 65534 keyring _uid.1000: 2 32a387ea I--Q--- 1 perm 3f010000 1000 1000 keyring _pid: 2 3ce56aea I--Q--- 5 perm 3f030000 1000 1000 keyring _ses: 1 : (1) ( ) ( ). (2) , : I . R . D (dead, . ., . ). Q . U ; request-key(2). N . i . (3) , (pinning) (: , ). (4) , - (, , , ). perm , (). expd , , . (5) , , , , , . : 0x01 0x02 0x04 0x08 0x10 0x20 UID (6) . GID (7) . -1 , ; . (8) (, . .) (9) (). . name[: extra-info] (). . : "user" "logon" ( ). "keyring" empty, . "big_key" , [file], ( ) tmpfs(5), [buff], . For the ".request_key_auth" key type (authorization key; see request_key(2)), the description field has the form shown in the following example: key:c9a9b19 pid:28880 ci:10 : key , . pid PID . ci (callout data), (. ., , ). /proc/key-users ( Linux 2.6.10) ID, . : 0: 10 9/9 2/1000000 22/25000000 42: 9 9/9 8/200 106/20000 1000: 11 11/11 10/200 271/20000 : uid . usage . nkeys/nikeys , , . qnkeys/maxkeys , , , . qnbytes/maxbytes , , , . /proc/sys/kernel/keys/gc_delay ( Linux 2.6.32) , . , (EKEYREVOKED EKEYEXPIRED, ), . 300 (. ., 5 ). /proc/sys/kernel/keys/persistent_keyring_expiry ( Linux 3.13) , ( keyctl_get_persistent(3) keyctl(2) KEYCTL_GET_PERSISTENT). 259200 (. ., 3 ). ( ) , : /proc/sys/kernel/keys/maxbytes ( Linux 2.6.26) , . 20000. /proc/sys/kernel/keys/maxkeys ( Linux 2.6.26) , . 200. /proc/sys/kernel/keys/root_maxbytes ( Linux 2.6.26) , ( UID 0 ) . 25000000 (20000 Linux 3.17). /proc/sys/kernel/keys/root_maxkeys ( Linux 2.6.26) , ( UID 0 ) . 1000000 (200 Linux 3.17). , 4 . keyctl(1), add_key(2), keyctl(2), request_key(2), keyctl(3), keyutils(7), persistent-keyring(7), process-keyring(7), session-keyring(7), thread-keyring(7), user-keyring(7), user-session-keyring(7), pam_keyinit(8), request-key(8) linux.git/Documentation/crypto/asymmetric-keys.txt linux.git/Documentation/security/keys/ () Alex Nik , Azamat Hackimov , Yuri Kozlov , Kirill Rekhov ; GNU (GNU General Public License - GPL, 3 ) , - . - , , () () () <>. Linux 6.15 17 2025 . keyrings(7)