keyutils-1.6.3

Introduction to keyutils

Keyutils is a set of utilities for managing the key retention facility in the kernel, which can be used by filesystems, block devices and more to gain and retain the authorization and encryption keys required to perform secure operations.

This package is known to build and work properly using an LFS 12.4 platform.

Package Information

Download (HTTP): https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/snapshot/keyutils-1.6.3.tar.gz
Download MD5 sum: 6b70b2b381c1b6d9adfaf66d5d3e7c00
Download size: 136 KB
Estimated disk space required: 2.6 MB (with tests)
Estimated build time: less than 0.1 SBU (add 0.4 SBU for tests)

Keyutils Dependencies

Optional

lsb-tools-0.12 (referred by the test suite)

Kernel Configuration

If running the test suite, some tests needs the following kernel features enabled:

Security options --->
  [*] Enable access key retention support                                 [KEYS]
  [*]   Large payload keys                                            [BIG_KEYS]
  [*]   Diffie-Hellman operations on retained keys           [KEY_DH_OPERATIONS]

-*- Cryptographic API --->                                              [CRYPTO]
  Public-key cryptography --->
    <*/M> RSA (Rivest-Shamir-Adleman)                               [CRYPTO_RSA]
  Hashes, digests, and MACs --->
    <*/M> SHA-1                                                    [CRYPTO_SHA1]
  [*] Asymmetric (public-key cryptographic) key type --->  [ASYMMETRIC_KEY_TYPE]
    <*> Asymmetric public-key crypto algorithm subtype
                                            ...  [ASYMMETRIC_PUBLIC_KEY_SUBTYPE]
    # If not built into the kernel, [SYSTEM_TRUSTED_KEYRING] won't show up;
    # building as a module won't work:
    <*>   X.509 certificate parser                     [X509_CERTIFICATE_PARSER]
  Certificates for signature checking --->
    [*] Provide system-wide ring of trusted keys        [SYSTEM_TRUSTED_KEYRING]
    [*]   Provide a keyring to which extra trustable keys may be added
                                                ...  [SECONDARY_TRUSTED_KEYRING]
    [*] Provide system-wide ring of blacklisted keys  [SYSTEM_BLACKLIST_KEYRING]

Installation of keyutils

Install keyutils by running the following commands:

make

Now, as the root user:

make NO_ARLIB=1 LIBDIR=/usr/lib BINDIR=/usr/bin SBINDIR=/usr/sbin install

The test suite can only run after installing this package. To test the results, issue, as the root user:

make -k test

If lsb-tools-0.12 is not installed, the test suite will output some lines complaining the lsb_release command not available but it won't affect the test result.

Command Explanations

NO_ARLIB=1: This make flag disables installing the static library.

Configuring keyutils

Config Files

/etc/request-key.conf and /etc/request-key.d/*

Installed Programs: keyctl, key.dns_resolver, and request-key

Installed Library: libkeyutils.so

Installed Directory: /etc/keyutils, /etc/request-key.d, and /usr/share/keyutils

Short Descriptions

keyctl	controls the key management facility with a variety of subcommands
key.dns_resolver	is invoked by request-key on behalf of the kernel when kernel services (such as NFS, CIFS and AFS) need to perform a hostname lookup and the kernel does not have the key cached. It is not ordinarily intended to be called directly
request-key	is invoked by the kernel when the kernel is asked for a key that it doesn't have immediately available. The kernel creates a temporary key and then calls out to this program to instantiate it. It is not intended to be called directly
`libkeyutils.so`	contains the keyutils library API instantiation

Prev
JSON-GLib-1.10.6
Next
libaio-0.3.113
Up
Home

Beyond Linux® From Scratch (systemd Edition) - Version 12.4

Chapter 9. General Libraries