# Insert wrapped key

Source: [https://docs.qualcomm.com/doc/80-88500-2/topic/insert_wrapped_key_linux_embedded.html](https://docs.qualcomm.com/doc/80-88500-2/topic/insert_wrapped_key_linux_embedded.html)

To insert the wrapped key, perform the following steps:

1. To generate the wrapped key using the `km_lite_sample_client` test
                binary, run the following command:

        km_lite_sample_client  8Copy to clipboard

                Where, `8` is the command to generate a first boot wrapped
                    key.
    Store the generated wrapped key at
                        /data/aes\_export\_de0.

Note: Cross-check the file
                    path, where the key is stored.
2. To insert the wrapped key into the kernel keyring and to get an identifier, run the
                following
                command:

        fscryptctl insert_wrapped_key <options> <mountpoint> <wrapped_key_file_location>Copy to clipboard

Where:
    - The `options` are either `--ext4` or
                            `--f2fs`.

    - The `mountpoint` is a file on which the user data is mounted,
                        for example, /overlay on Linux Embedded and
                            /data on Linux Android.

    - The `wrapped_key_file_location` is the file path where the
                        wrapped key is stored.
3. To create a directory that must be encrypted in the mount point, run the following
                command:

        mkdir <mountpoint>/<dir_to_encrypt>Copy to clipboard

Where:
    - The `mountpoint` is a file on which the user data is mounted,
                        for example, /overlay on Linux Embedded and
                            /data on Linux Android.

    - The dir\_to\_encrypt is the name of the directory, which
                        must be on set policy to encrypt its content.
4. To set the policy on the directory created in step 3, run the following
                command:

        fscryptctl  set_policy  --identifier=<Hex_valued_identifier>  <path_to_dir_to_encrypt>Copy to clipboard

Where:
    - The `Hex_valued_identifier` identifier is returned by the
                            `insert_key` command mentioned in step 2.

    - The `path_to_dir_to_encryp` directory is the absolute path,
                        which is created in step 3.
5. To verify whether the policy is set successfully or not, run the following
                command:

        fscryptctl  get_policy  <path_to_dir_to_encrypt>Copy to clipboard
6. To create a file with some content in the directory to which the policy is set, run
                the following
                command:

        echo  "<string>" >  <path_to_dir_to_encrypt>/<filename>Copy to clipboard
7. To remove the key from the keyring, run the following
                command:

        fscryptctl  remove_key  --identifier=<Hex_valued_identifier>  --mountpoint=<mountpoint>Copy to clipboard
8. To verify the filename and to ensure that it is a garbage value, run the following
                    commands:

        ls  <path_to_dir_to_encrypt>Copy to clipboard

        cat  <path_to_dir_to_encrypt>/<garbage_file_name>Copy to clipboard

    If
                    you `cat` the content of the file or create a new file with the
                    content, it must say "required key not available".
9. To see the actual filename and its content in the same boot, you have to re-install
                the key by running the following
                command:

        fscryptctl insert_wrapped_key <options> <mountpoint> <wrapped_key_file_location>Copy to clipboard

**Parent Topic:** [File-based encryption (Linux Embedded)](https://docs.qualcomm.com/doc/80-88500-2/topic/file_based_encryption_linux_enabled.html)

Last Published: Aug 18, 2023

[Previous Topic
Insert standard key](https://docs.qualcomm.com/bundle/publicresource/80-88500-2/topics/standard_key_linux_embedded.md) [Next Topic
References](https://docs.qualcomm.com/bundle/publicresource/80-88500-2/topics/References.md)