How to fix Linux / POSIX ENOKEY Required Key Not Available?

Add the required key to the keyring: Keys must be explicitly added to a keyring before they can be requested.

ENOKEY

Linux / POSIXERRORNotableSecurityHIGH confidence

Required Key Not Available

Production Risk

Common with encrypted filesystems and Kerberos; ensure keys are provisioned at startup.

What this means

ENOKEY (errno 126) is returned by the Linux kernel keyring subsystem when a required key does not exist in the current keyring.

Why it happens

1Requesting a key by type/description that is not present in the session or user keyring
2Encrypted filesystem requiring a key that has not been loaded
3Kerberos credential missing from keyring

How to reproduce

keyctl() request for a key not in the keyring.

trigger — this will error

// Request a key that doesn't exist
key_serial_t key = request_key("user", "my-key", NULL, KEY_SPEC_SESSION_KEYRING);
// Returns -1, errno = ENOKEY

expected output

request_key: Required key not available (ENOKEY)

Fix

Add the required key to the keyring

WHEN When ENOKEY is returned

Add the required key to the keyring

# Add a key to the user keyring
keyctl add user my-key "secret-value" @u

# For encrypted filesystems (ecryptfs), login to add keys:
ecryptfs-add-passphrase --fnek

# For Kerberos:
kinit username@REALM

Why this works

Keys must be explicitly added to a keyring before they can be requested.

Sources

Official documentation ↗

Linux Programmer Manual keyrings(7)

keyctl(1) ↗

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformLinux errno Codes

CodeENOKEY

ClassSecurity

SeverityERROR

TierNotable

ConfidenceHIGH

← All Linux / POSIX errors