I suppose you mean the reference to the internal representation of the
key. This might be valid for few seconds until the required operation is
This is not really what I would call storage. The storage and retrieval
of keys is being done using two ioctl() the STORAGE_WRAP and STORAGE_UNWRAP.
An example of how NCR works:
1. A Process generates an RSA key pair
2. Stores the (encrypted) pair using the STORAGE_WRAP to a file.
3. Another process loads the file, unwraps it using STORAGE_UNWRAP and
gets a reference to the key
4. Does an RSA decryption using the key
5. Discards the reference to the key
Consider the reference as a file descriptor after you have opened a file
(a wrapped key).
How do you see keyring being involved in a setup like this?
In short: cryptographic operations.
An unprivileged process will load a key from disk to kernel and use it.
The keys leave the NCR framework only encrypted and authenticated.
I don't understand what do you mean by canonical, but this API can be
used to perform crypto operations. It uses the internal linux API where