Skip to content



add_key - adds a key to the kernel's key management facility


add_key is a system call that adds a new key to the kernel's key management facility. The purpose of the system call is to make it easier to use secure symmetric encryption without having to manage and/or store the encryption keys in plaintext. The system call can be used to add public and private keys, as well as binary blobs, as key payloads. After the key is added to the kernel, the key is assigned a unique serial number and stored in secure memory for use.

There are some drawbacks to using add_key. Firstly, the size of the payload being added must be less than 768 bytes. Secondly, there is a maximum of 58720 keys allowed in the kernel at any one time, so each key must be manually removed when no longer needed. Additionally, there is a limit of 32 processes that can concurrently access the same keyring.


  • type:const char*[K] - string identifying the type of the key.
  • description:const char*[K] - readable string specifying the purpose of the key.
  • payload:const void*[K] - the key payload, with a size limit of 768 bytes.
  • plen:size_t[K] - the size length of the key payload.
  • keyring:key_serial_t[U] - the ID of the keyring where the key will be stored. If set to -1, the default keyring will be used.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)






To trace usage of the add_key syscall.





To gather information about allocated keys.

Example Use Case

add_key can be used for securely storing passwords. For example, an application may have a "forgot password" feature, which would require the encryption of a password-reset key. Using add_key, this process can be securely done without ever having to store the key in plaintext.


The maximum size of the key payload is limited to 768 bytes. Additionally, the maximum amount of keys allowed in the kernel is limited to 58720, so any key that is no longer needed must be manually removed.

  • keyctl
  • keyctl_assume_authority
  • request_key

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.