Introduction to keyutils

Keyutils is a set of utilities for managing the key retention facility in the kernel, which can be used by filesystems, block devices and more to gain and retain the authorization and encryption keys required to perform secure operations.

This package is known to build and work properly using an LFS 12.1 platform.

Package Information

Keyutils Dependencies


lsb-tools-0.12 (referred by the test suite)

Kernel Configuration

If running the test suite, some tests needs the following kernel features enabled:

Security options --->
  [*] Enable access key retention support                                 [KEYS]
  [*]   Large payload keys                                            [BIG_KEYS]
  [*]   Diffie-Hellman operations on retained keys           [KEY_DH_OPERATIONS]

-*- Cryptographic API --->                                              [CRYPTO]
  Public-key cryptography --->
    <*/M> RSA (Rivest-Shamir-Adleman)                               [CRYPTO_RSA]
  [*] Asymmetric (public-key cryptographic) key type --->  [ASYMMETRIC_KEY_TYPE]
    <*> Asymmetric public-key crypto algorithm subtype
                                            ...  [ASYMMETRIC_PUBLIC_KEY_SUBTYPE]
    # If not built into the kernel, [SYSTEM_TRUSTED_KEYRING] won't show up;
    # building as a module won't work:
    <*>   X.509 certificate parser                     [X509_CERTIFICATE_PARSER]
  Certificates for signature checking --->
    [*] Provide system-wide ring of trusted keys        [SYSTEM_TRUSTED_KEYRING]
    [*]   Provide a keyring to which extra trustable keys may be added
                                                ...  [SECONDARY_TRUSTED_KEYRING]
    [*] Provide system-wide ring of blacklisted keys  [SYSTEM_BLACKLIST_KEYRING]

Library routines --->
  Crypto library routines --->
    # If not built into the kernel, [BIG_KEYS] won't show up;
    # building as a module won't work:
    <*> ChaCha20-Poly1305 AEAD support (8-byte nonce library version)
                                              ...  [CRYPTO_LIB_CHACHA20POLY1305]

Installation of keyutils

Install keyutils by running the following commands:


Now, as the root user:

make NO_ARLIB=1 LIBDIR=/usr/lib BINDIR=/usr/bin SBINDIR=/usr/sbin install

The test suite can only run after installing this package. To test the results, issue, as the root user:

make -k test

If lsb-tools-0.12 is not installed, the test suite will output some lines complaining the lsb_release command not available but it won't affect the test result. One test named TRY ADDING ASYMMETRIC KEYS is known to fail due to the removal of the support for SHA1 with RSA signature algorithm from Linux kernel version 6.7 or newer.

Command Explanations

NO_ARLIB=1: This make flag disables installing the static library.

Configuring keyutils

Config Files

/etc/request-key.conf and /etc/request-key.d/*


Installed Programs: keyctl, key.dns_resolver, and request-key
Installed Library:
Installed Directory: /etc/keyutils, /etc/request-key.d, and /usr/share/keyutils

Short Descriptions


controls the key management facility with a variety of subcommands


is invoked by request-key on behalf of the kernel when kernel services (such as NFS, CIFS and AFS) need to perform a hostname lookup and the kernel does not have the key cached. It is not ordinarily intended to be called directly


is invoked by the kernel when the kernel is asked for a key that it doesn't have immediately available. The kernel creates a temporary key and then calls out to this program to instantiate it. It is not intended to be called directly

contains the keyutils library API instantiation