keyctl(1)



KEYCTL(1)               Linux Key Management Utilities               KEYCTL(1)

NAME
       keyctl - key management facility control

SYNOPSIS
       keyctl --version
       keyctl supports [<cap>]
       keyctl show [-x] [<keyring>]
       keyctl add <type> <desc> <data> <keyring>
       keyctl padd <type> <desc> <keyring>
       keyctl request <type> <desc> [<dest_keyring>]
       keyctl request2 <type> <desc> <info> [<dest_keyring>]
       keyctl prequest2 <type> <desc> [<dest_keyring>]
       keyctl update <key> <data>
       keyctl pupdate <key>
       keyctl newring <name> <keyring>
       keyctl revoke <key>
       keyctl clear <keyring>
       keyctl link <key> <keyring>
       keyctl unlink <key> [<keyring>]
       keyctl move [-f] <key> <from_keyring> <to_keyring>
       keyctl search <keyring> <type> <desc> [<dest_keyring>]
       keyctl restrict_keyring <keyring> [<type> [<restriction>]]
       keyctl read <key>
       keyctl pipe <key>
       keyctl print <key>
       keyctl list <keyring>
       keyctl rlist <keyring>
       keyctl describe <keyring>
       keyctl rdescribe <keyring> [sep]
       keyctl chown <key> <uid>
       keyctl chgrp <key> <gid>
       keyctl setperm <key> <mask>
       keyctl new_session
       keyctl session
       keyctl session - [<prog> <arg1> <arg2> ...]
       keyctl session <name> [<prog> <arg1> <arg2> ...]
       keyctl instantiate <key> <data> <keyring>
       keyctl pinstantiate <key> <keyring>
       keyctl negate <key> <timeout> <keyring>
       keyctl reject <key> <timeout> <error> <keyring>
       keyctl timeout <key> <timeout>
       keyctl security <key>
       keyctl reap [-v]
       keyctl purge <type>
       keyctl purge [-i] [-p] <type> <desc>
       keyctl purge -s <type> <desc>
       keyctl get_persistent <keyring> [<uid>]
       keyctl dh_compute <private> <prime> <base>
       keyctl   dh_compute_kdf   <private>   <prime>   <base>  <output_length>
       <hash_type>
       keyctl  dh_compute_kdf_oi  <private>  <prime>  <base>   <output_length>
       <hash_type>
       keyctl pkey_query <key> <pass> [k=v]*
       keyctl pkey_encrypt <key> <pass> <datafile> [k=v]* ><encfile>
       keyctl pkey_decrypt <key> <pass> <encfile> [k=v]* ><datafile>
       keyctl pkey_sign <key> <pass> <datafile> [k=v]* ><sigfile>
       keyctl pkey_decrypt <key> <pass> <datafile> <sigfile> [k=v]*

DESCRIPTION
       This  program is used to control the key management facility in various
       ways using a variety of subcommands.

KEY IDENTIFIERS
       The key identifiers passed to or returned from keyctl are, in  general,
       positive integers. There are, however, some special values with special
       meanings that can be passed as arguments:

       No key: 0

       Thread keyring: @t or -1
              Each thread may have its own keyring. This  is  searched  first,
              before  all  others.  The thread keyring is replaced by (v)fork,
              exec and clone.

       Process keyring: @p or -2
              Each process (thread group) may have its own  keyring.  This  is
              shared between all members of a group and will be searched after
              the thread keyring. The process keyring is replaced  by  (v)fork
              and exec.

       Session keyring: @s or -3
              Each  process  subscribes to a session keyring that is inherited
              across (v)fork, exec and  clone.  This  is  searched  after  the
              process  keyring.  Session  keyrings  can be named and an extant
              keyring can be joined in place of a  process's  current  session
              keyring.

       User specific keyring: @u or -4
              This keyring is shared between all the processes owned by a par-
              ticular user. It isn't searched directly, but is normally linked
              to from the session keyring.

       User default session keyring: @us or -5
              This is the default session keyring for a particular user. Login
              processes that change to a particular user  will  bind  to  this
              session until another session is set.

       Group specific keyring: @g or -6
              This  is a place holder for a group specific keyring, but is not
              actually implemented yet in the kernel.

       Assumed request_key authorisation key: @a or -7
              This selects the authorisation key provided to the request_key()
              helper to permit it to access the callers keyrings and instanti-
              ate the target key.

       Keyring by name: %:<name>
              A named keyring.  This will be searched  for  in  the  process's
              keyrings and in /proc/keys.

       Key by name: %<type>:<name>
              A named key of the given type.  This will be searched for in the
              process's keyrings and in /proc/keys.

COMMAND SYNTAX
       Any non-ambiguous shortening of a command name may be used in  lieu  of
       the full command name. This facility should not be used in scripting as
       new commands may be added in future that then cause ambiguity.

   Display the package version number
       keyctl --version

       This command prints the package version number and build date  and  ex-
       its:

              $ keyctl --version
              keyctl from keyutils-1.5.3 (Built 2011-08-24)

   Query subsystem capabilities
       keyctl supports [<cap>]

       This command can list the available capabilities:

              $ keyctl supports
              have_capabilities=0
              have_persistent_keyrings=1
              have_dh_compute=1
              have_public_key=1

       And it can query a capability:

              $ keyctl supports pkey
              echo $?
              0

       which  returns 0 if the capability is supported, 1 if it isn't and 3 if
       the name is not recognised.  The capabilities supported are:

       capabilities
              The kernel supports capability querying.  If not, the other  ca-
              pabilities will be queried as best libkeyutils can manage.

       persistent_keyrings
              The kernel supports persistent keyrings.

       dh_compute
              The kernel supports Diffie-Hellman computation operations.

       public_key
              The kernel supports public key operations.

       big_key_type
              The kernel supports the big_key key type.

       key_invalidate
              The kernel supports the invalidate key operaiton.

       restrict_keyring
              The kernel supports the restrict_keyring operation.

       move_key
              The kernel supports the move key operation.

   Show process keyrings
       keyctl show [-x] [<keyring>]

       By  default  this  command recursively shows what keyrings a process is
       subscribed to and what keys and keyrings they contain.  If a keyring is
       specified then that keyring will be dumped instead.  If -x is specified
       then the keyring IDs will be dumped in hex instead of decimal.

   Add a key to a keyring
       keyctl add <type> <desc> <data> <keyring>
       keyctl padd <type> <desc> <keyring>

       This command creates a key of the specified type and  description;  in-
       stantiates  it  with  the  given  data and attaches it to the specified
       keyring. It then prints the new key's ID on stdout:

              $ keyctl add user mykey stuff @u
              26

       The padd variant of the command reads the data from stdin  rather  than
       taking it from the command line:

              $ echo -n stuff | keyctl padd user mykey @u 26

   Request a key
       keyctl request <type> <desc> [<dest_keyring>]
       keyctl request2 <type> <desc> <info> [<dest_keyring>]
       keyctl prequest2 <type> <desc> [<dest_keyring>]

       These  three commands request the lookup of a key of the given type and
       description. The process's keyrings will be searched, and if a match is
       found  the matching key's ID will be printed to stdout; and if a desti-
       nation keyring is given, the key will be added to that keyring also.

       If there is no key, the first command  will  simply  return  the  error
       ENOKEY  and  fail.  The second and third commands will create a partial
       key with the type and description, and call  out  to  /sbin/request-key
       with  that  key  and the extra information supplied. This will then at-
       tempt to instantiate the key in some manner, such that a valid  key  is
       obtained.

       The  third command is like the second, except that the callout informa-
       tion is read from stdin rather than being passed on the command line.

       If a valid key is obtained, the ID will be printed and the key attached
       as if the original search had succeeded.

       If  there wasn't a valid key obtained, a temporary negative key will be
       attached to the destination keyring if given and the  error  "Requested
       key not available" will be given.

              $ keyctl request2 user debug:hello wibble
              23
              $ echo -n wibble | keyctl prequest2 user debug:hello
              23
              $ keyctl request user debug:hello
              23

   Update a key
       keyctl update <key> <data>
       keyctl pupdate <key>

       This  command  replaces  the  data  attached to a key with a new set of
       data. If the type of the key doesn't support update then error  "Opera-
       tion not supported" will be returned.

              $ keyctl update 23 zebra

       The  pupdate  variant  of  the command reads the data from stdin rather
       than taking it from the command line:

              $ echo -n zebra | keyctl pupdate 23

   Create a keyring
       keyctl newring <name> <keyring>

       This command creates a new keyring of the specified name  and  attaches
       it  to the specified keyring. The ID of the new keyring will be printed
       to stdout if successful.

              $ keyctl newring squelch @us
              27

   Revoke a key
       keyctl revoke <key>

       This command marks a key as being revoked. Any  further  operations  on
       that  key (apart from unlinking it) will return error "Key has been re-
       voked".

              $ keyctl revoke 26
              $ keyctl describe 26
              keyctl_describe: Key has been revoked

   Clear a keyring
       keyctl clear <keyring>

       This command unlinks all the keys attached to  the  specified  keyring.
       Error  "Not a directory" will be returned if the key specified is not a
       keyring.

              $ keyctl clear 27

   Link a key to a keyring
       keyctl link <key> <keyring>

       This command makes a link from the key to the keyring if there's enough
       capacity to do so. Error "Not a directory" will be returned if the des-
       tination is not a keyring. Error "Permission denied" will  be  returned
       if  the  key  doesn't  have link permission or the keyring doesn't have
       write permission. Error "File table overflow" will be returned  if  the
       keyring  is full. Error "Resource deadlock avoided" will be returned if
       an attempt was made to introduce a recursive link.

              $ keyctl link 23 27
              $ keyctl link 27 27
              keyctl_link: Resource deadlock avoided

   Unlink a key from a keyring or the session keyring tree
       keyctl unlink <key> [<keyring>]

       If the keyring is specified, this command removes a  link  to  the  key
       from  the keyring. Error "Not a directory" will be returned if the des-
       tination is not a keyring. Error "Permission denied" will  be  returned
       if  the  keyring  doesn't have write permission. Error "No such file or
       directory" will be returned if the key is not linked to by the keyring.

       If the keyring is not specified, this command  performs  a  depth-first
       search  of  the  session  keyring tree and removes all the links to the
       nominated key that it finds (and that it is permitted to  remove).   It
       prints the number of successful unlinks before exiting.

              $ keyctl unlink 23 27

   Move a key between keyrings.
       keyctl move  [-f] <key> <from_keyring> <to_keyring>

       This  command  moves a key from one keyring to another, atomically com-
       bining "keyctl unlink <key>  <from_keyring>"  and  "keyctl  link  <key>
       <to_keyring>".

       If  the  "-f"  flag is present, any matching key will be displaced from
       "to_keyring"; if not present, the command will fail with the error mes-
       sage "File exists" if the key would otherwise displace another key from
       "to_keyring".

              $ keyctl move 23 27 29
              $ keyctl move -f 71 @u @s

   Search a keyring
       keyctl search <keyring> <type> <desc> [<dest_keyring>]

       This command non-recursively searches a keyring for a key of a particu-
       lar  type  and description. If found, the ID of the key will be printed
       on stdout and the key will be attached to the  destination  keyring  if
       present.  Error  "Requested  key not available" will be returned if the
       key is not found.

              $ keyctl search @us user debug:hello
              23
              $ keyctl search @us user debug:bye
              keyctl_search: Requested key not available

   Restrict a keyring
       keyctl restrict_keyring <keyring> [<type> [<restriction>]]

       This command limits the linkage of keys to the given  keyring  using  a
       provided  restriction scheme. The scheme is associated with a given key
       type, with further details provided in the restriction  option  string.
       Options  typically  contain a restriction name possibly followed by key
       ids or other data relevant to the restriction. If no restriction scheme
       is provided, the keyring will reject all links.

              $ keyctl restrict_keyring $1 asymmetric builtin_trusted

   Read a key
       keyctl read <key>
       keyctl pipe <key>
       keyctl print <key>

       These commands read the payload of a key. "read" prints it on stdout as
       a hex dump, "pipe" dumps the raw data to stdout and "print" dumps it to
       stdout  directly if it's entirely printable or as a hexdump preceded by
       ":hex:" if not.

       If the key type does not support reading of  the  payload,  then  error
       "Operation not supported" will be returned.

              $ keyctl read 26
              1 bytes of data in key:
              62
              $ keyctl print 26
              b
              $ keyctl pipe 26
              $

   List a keyring
       keyctl list <keyring>
       keyctl rlist <keyring>

       These  commands  list the contents of a key as a keyring. "list" pretty
       prints the contents and "rlist" just produces a space-separated list of
       key IDs.

       No attempt is made to check that the specified keyring is a keyring.

              $ keyctl list @us
              2 keys in keyring:
                     22: vrwsl----------  4043    -1 keyring: _uid.4043
                     23: vrwsl----------  4043  4043 user: debug:hello
              $ keyctl rlist @us
              22 23

   Describe a key
       keyctl describe <keyring>
       keyctl rdescribe <keyring> [sep]

       These  commands  fetch  a  description  of a keyring. "describe" pretty
       prints the description in the same fashion as the "list" command; "rde-
       scribe" prints the raw data returned from the kernel.

              $ keyctl describe @us
                     -5: vrwsl----------  4043    -1 keyring: _uid_ses.4043
              $ keyctl rdescribe @us
              keyring;4043;-1;3f1f0000;_uid_ses.4043

       The raw string is "<type>;<uid>;<gid>;<perms>;<description>", where uid
       and gid are the decimal user and group IDs, perms  is  the  permissions
       mask  in  hex,  type  and description are the type name and description
       strings (neither of which will contain semicolons).

   Change the access controls on a key
       keyctl chown <key> <uid>
       keyctl chgrp <key> <gid>

       These two commands change the UID and GID associated with evaluating  a
       key's permissions mask. The UID also governs which quota a key is taken
       out of.

       The chown command is not currently supported; attempting it  will  earn
       the error "Operation not supported" at best.

       For  non-superuser  users, the GID may only be set to the process's GID
       or a GID in the process's groups list. The superuser may set any GID it
       likes.

              $ sudo keyctl chown 27 0
              keyctl_chown: Operation not supported
              $ sudo keyctl chgrp 27 0

   Set the permissions mask on a key
       keyctl setperm <key> <mask>

       This command changes the permission control mask on a key. The mask may
       be specified as a hex number if it begins "0x", an octal number  if  it
       begins "0" or a decimal number otherwise.

       The hex numbers are a combination of:

              Possessor UID       GID       Other     Permission Granted
              ========  ========  ========  ========  ==================
              01000000  00010000  00000100  00000001  View
              02000000  00020000  00000200  00000002  Read
              04000000  00040000  00000400  00000004  Write
              08000000  00080000  00000800  00000008  Search
              10000000  00100000  00001000  00000010  Link
              20000000  00200000  00002000  00000020  Set Attribute
              3f000000  003f0000  00003f00  0000003f  All

       View  permits the type, description and other parameters of a key to be
       viewed.

       Read permits the payload (or keyring list) to be read if  supported  by
       the type.

       Write permits the payload (or keyring list) to be modified or updated.

       Search  on  a  key permits it to be found when a keyring to which it is
       linked is searched.

       Link permits a key to be linked to a keyring.

       Set Attribute permits a key to have its owner, group  membership,  per-
       missions mask and timeout changed.

              $ keyctl setperm 27 0x1f1f1f00

   Start a new session with fresh keyrings
       keyctl session
       keyctl session - [<prog> <arg1> <arg2> ...]
       keyctl session <name> [<prog> <arg1> <arg2> ...]

       These  commands  join  or  create a new keyring and then run a shell or
       other program with that keyring as the session key.

       The variation with no  arguments  just  creates  an  anonymous  session
       keyring  and  attaches  that  as  the  session  keyring; it then exec's
       $SHELL.

       The variation with a dash in place of a name creates an anonymous  ses-
       sion  keyring  and attaches that as the session keyring; it then exec's
       the supplied command, or $SHELL if one isn't supplied.

       The variation with a name supplied creates or joins the  named  keyring
       and  attaches  that as the session keyring; it then exec's the supplied
       command, or $SHELL if one isn't supplied.

              $ keyctl rdescribe @s
              keyring;4043;-1;3f1f0000;_uid_ses.4043

              $ keyctl session
              Joined session keyring: 28

              $ keyctl rdescribe @s
              keyring;4043;4043;3f1f0000;_ses.24082

              $ keyctl session -
              Joined session keyring: 29
              $ keyctl rdescribe @s
              keyring;4043;4043;3f1f0000;_ses.24139

              $ keyctl session - keyctl rdescribe @s
              Joined session keyring: 30
              keyring;4043;4043;3f1f0000;_ses.24185

              $ keyctl session fish
              Joined session keyring: 34
              $ keyctl rdescribe @s
              keyring;4043;4043;3f1f0000;fish

              $ keyctl session fish keyctl rdesc @s
              Joined session keyring: 35
              keyring;4043;4043;3f1f0000;fish

   Instantiate a key
       keyctl instantiate <key> <data> <keyring>
       keyctl pinstantiate <key> <keyring>
       keyctl negate <key> <timeout> <keyring>
       keyctl reject <key> <timeout> <error> <keyring>

       These commands are used to attach data to a partially set  up  key  (as
       created  by the kernel and passed to /sbin/request-key).  "instantiate"
       marks a key as being valid  and  attaches  the  data  as  the  payload.
       "negate" and "reject" mark a key as invalid and sets a timeout on it so
       that it'll go away after a while.  This prevents a lot of  quickly  se-
       quential  requests  from slowing the system down overmuch when they all
       fail, as all subsequent requests will then fail with  error  "Requested
       key  not found" (if negated) or the specified error (if rejected) until
       the negative key has expired.

       Reject's error argument can either be a UNIX error  number  or  one  of
       'rejected', 'expired' or 'revoked'.

       The newly instantiated key will be attached to the specified keyring.

       These  commands may only be run from the program run by request-key - a
       special authorisation key is set up by the kernel and attached  to  the
       request-key's session keyring. This special key is revoked once the key
       to which it refers has been instantiated one way or another.

              $ keyctl instantiate $1 "Debug $3" $4
              $ keyctl negate $1 30 $4
              $ keyctl reject $1 30 64 $4

       The pinstantiate variant of the  command  reads  the  data  from  stdin
       rather than taking it from the command line:

              $ echo -n "Debug $3" | keyctl pinstantiate $1 $4

   Set the expiry time on a key
       keyctl timeout <key> <timeout>

       This  command is used to set the timeout on a key, or clear an existing
       timeout if the value specified is zero. The timeout is given as a  num-
       ber of seconds into the future.

              $ keyctl timeout $1 45

   Retrieve a key's security context
       keyctl security <key>

       This command is used to retrieve a key's LSM security context.  The la-
       bel is printed on stdout.

              $ keyctl security @s
              unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

   Give the parent process a new session keyring
       keyctl new_session

       This command is used to give the invoking process (typically a shell) a
       new session keyring, discarding its old session keyring.

              $  keyctl session foo
              Joined session keyring: 723488146
              $  keyctl show
              Session Keyring
                     -3 --alswrv      0     0  keyring: foo
              $  keyctl new_session
              490511412
              $  keyctl show
              Session Keyring
                     -3 --alswrv      0     0  keyring: _ses

       Note  that this affects the parent of the process that invokes the sys-
       tem call, and so may only affect processes with  matching  credentials.
       Furthermore,  the  change  does not take effect till the parent process
       next transitions from kernel space to user space - typically  when  the
       wait() system call returns.

   Remove dead keys from the session keyring tree
       keyctl reap

       This  command  performs  a  depth-first  search of the caller's session
       keyring tree and attempts to unlink any key that it finds that is inac-
       cessible due to expiry, revocation, rejection or negation.  It does not
       attempt to remove live keys that are unavailable simply due to  a  lack
       of granted permission.

       A  key  that is designated reapable will only be removed from a keyring
       if the caller has Write permission on that keyring, and  only  keyrings
       that grant Search permission to the caller will be searched.

       The  command  prints the number of keys reaped before it exits.  If the
       -v flag is passed then the reaped keys  are  listed  as  they're  being
       reaped, together with the success or failure of the unlink.

   Remove matching keys from the session keyring tree
       keyctl purge <type>
       keyctl purge [-i] [-p] <type> <desc>
       keyctl purge -s <type> <desc>

       These  commands  perform  a depth-first search to find matching keys in
       the caller's session keyring tree and attempts  to  unlink  them.   The
       number of keys successfully unlinked is printed at the end.

       The  keyrings  must  grant Read and View permission to the caller to be
       searched, and the keys to be removed must also grant  View  permission.
       Keys can only be removed from keyrings that grant Write permission.

       The first variant purges all keys of the specified type.

       The  second  variant  purges  all  keys of the specified type that also
       match the given description literally.  The -i flag allows a case-inde-
       pendent match and the -p flag allows a prefix match.

       The  third  variant  purges all keys of the specified type and matching
       description using the key type's comparator in the kernel to match  the
       description.   This  permits the key type to match a key with a variety
       of descriptions.

   Get persistent keyring
       keyctl get_persistent <keyring> [<uid>]

       This command gets the persistent keyring for either the current UID  or
       the  specified  UID and attaches it to the nominated keyring.  The per-
       sistent keyring's ID will be printed on stdout.

       The kernel will create the keyring if it doesn't exist and  every  time
       this  command  is  called,  will  reset  the  expiration timeout on the
       keyring to the value in:

              /proc/sys/kernel/keys/persistent_keyring_expiry

       (by default three days).  Should the timeout be reached, the persistent
       keyring will be removed and everything it pins can then be garbage col-
       lected.

       If a UID other than the process's real or effective UIDs is  specified,
       then an error will be given if the process does not have the CAP_SETUID
       capability.

   Compute a Diffie-Hellman shared secret or public key
       keyctl dh_compute <private> <prime> <base>

       This command computes either a Diffie-Hellman shared secret or the pub-
       lic key corresponding to the provided private key using the payloads of
       three keys. The computation is:

              base ^ private (mod prime)

       The three inputs must be user keys with read permission.  If  the  pro-
       vided base key contains the shared generator value, the public key will
       be computed.  If the provided base key contains the remote  public  key
       value, the shared secret will be computed.

       The result is printed to stdout as a hex dump.

              $ keyctl dh_compute $1 $2 $3
              8 bytes of data in result:
              00010203 04050607

   Compute a Diffie-Hellman shared secret and derive key material
       keyctl   dh_compute_kdf   <private>   <prime>   <base>  <output_length>
       <hash_type>

       This command computes a Diffie-Hellman shared secret  and  derives  key
       material  from the shared secret using a key derivation function (KDF).
       The shared secret is derived as outlined above and is input to the  KDF
       using  the specified hash type. The hash type must point to a hash name
       known to the kernel crypto API.

       The operation derives key material  of  the  length  specified  by  the
       caller.

       The operation is compliant to the specification of SP800-56A.

       The result is printed to stdout as hex dump.

   Compute a Diffie-Hellman shared secret and apply KDF with other input
       keyctl   dh_compute_kdf_oi  <private>  <prime>  <base>  <output_length>
       <hash_type>

       This command is identical to the command dh_compute_kdf to  generate  a
       Diffie-Hellman  shared  secret  followed by a key derivation operation.
       This command allows the caller to provide  the  other  input  data  (OI
       data) compliant to SP800-56A via stdin.

   Perform public-key operations with an asymmetric key
       keyctl pkey_query <key> <pass> [k=v]*
       keyctl pkey_encrypt <key> <pass> <datafile> [k=v]* > <encfile>
       keyctl pkey_decrypt <key> <pass> <encfile> [k=v]* > <datafile>
       keyctl pkey_sign <key> <pass> <datafile> [k=v]* > <sigfile>
       keyctl pkey_verify <key> <pass> <datafile> <sigfile> [k=v]*

       These  commands  query an asymmetric key, encrypt data with it, decrypt
       the encrypted data, generate a signature over some data and verify that
       signature.   For encrypt, decrypt and sign, the resulting data is writ-
       ten to stdout; verify reads the data and the signature files  and  com-
       pares them.

       [!]  NOTE  that the data is of very limited capacity, with no more bits
       than the size of the key.  For signatures, the caller  is  expected  to
       digest  the  actual  data  and  pass in the result of the digest as the
       datafile.  The name of the digest should be specified on the end of the
       command line as "hash=<name>".

       The  key  ID indicates the key to use; pass is a placeholder for future
       password provision and should be "0" for the moment;  datafile  is  the
       unencrypted  data  to  be  encrypted,  signed  or to have its signature
       checked; encfile is a file containing encrypted data; and sigfile is  a
       file containing a signature.

       A  list of parameters in "key[=val]" form can be included on the end of
       the command line.  These specify things like the digest algorithm  used
       ("hash=<name>") or the encoding form ("enc=<type>").

              k=`keyctl padd asymmetric "" @s <key.pkcs8.der`
              keyctl pkey_query $k 0 enc=pkcs1 hash=sha256
              keyctl pkey_encrypt $k 0 foo.hash enc=pkcs1 >foo.enc
              keyctl pkey_decrypt $k 0 foo.enc enc=pkcs1 >foo.hash
              keyctl pkey_sign $k 0 foo.hash enc=pkcs1 hash=sha256 >foo.sig
              keyctl pkey_verify $k 0 foo.hash foo.sig enc=pkcs1 hash=sha256

       See asymmetric-key(7) for more information.

ERRORS
       There are a number of common errors returned by this program:

       "Not a directory" - a key wasn't a keyring.

       "Requested key not found" - the looked for key isn't available.

       "Key has been revoked" - a revoked key was accessed.

       "Key has expired" - an expired key was accessed.

       "Permission  denied" - permission was denied by a UID/GID/mask combina-
       tion.

SEE ALSO
       keyctl(1), keyctl(2), request_key(2), keyctl(3), request-key.conf(5),
       keyrings(7), request-key(8)

Linux                             20 Feb 2014                        KEYCTL(1)

Man(1) output converted with man2html
list of all man pages