PERSISTENT KEYRING(7) Kernel key management PERSISTENT KEYRING(7)NAME
persistent keyring - Per-user persistent keyring
The persistent keyring is a keyring used to anchor keys on behalf of a
user. Each UID the kernel deals with has its own persistent keyring
that is shared between all threads owned by that UID.
The persistent keyring is created on demand when a thread requests it.
The keyring's expiration timer is reset every time it is accessed to
the value in:
The persistent keyring is not searched by request_key() unless it is
referred to by a keyring that is.
The persistent keyring may not be accessed directly, even by processes
with the appropriate UID. Instead it must be linked to one of a
process's keyrings first before that keyring can access it by virtue of
its possessor permits. This is done with keyctl_get_persistent().
Persistent keyrings are independent of clone(), fork(), vfork(),
execve() and exit(). They persist until their expiration timers trig‐
ger - at which point they are garbage collected. This allows them to
carry keys beyond the life of the kernel's record of the corresponding
UID (the destruction of which results in the destruction of the user
and user session keyrings).
If a persistent keyring does not exist when it is accessed, it will be
The keyutils library provides a special operation for manipulating per‐
This operation allows the caller to get the persistent keyring
corresponding to their own UID or, if they have CAP_SETUID, the
persistent keyring corresponding to some other UID in the same
user-session-keyring(7)Linux 20 Feb 2014 PERSISTENT KEYRING(7)