# Install user key

Source: [https://docs.qualcomm.com/doc/80-88500-2/topic/install_user_key.html](https://docs.qualcomm.com/doc/80-88500-2/topic/install_user_key.html)

To install the user key, perform the following steps:
1. To install the user key into the kernel keyring and give the identifier, run
                    the following command: 

        install_and_evict -k <user_key_file_path> <user_key_ref_file_path>Copy to clipboard

Where:
    - The `user_key_file_path` is the file where the user key
                            is stored.

    - The `user_key_ref_file_path` is the file, which stores
                            the generated identifier after the user key installation into the
                            keyring.
2. To create a directory in the mount point where the user data is mounted, run the
                    following command: 

        mkdir <mountpoint>/<dir_to_set_policy_on>Copy to clipboard

Where:
    - The `mountpoint` is a file on which the user data is
                            mounted, for example, /overlay on Linux Embedded
                            and /data on Linux Android.
    - The `dir_to_set_policy_on` is a user directory on which
                            policy must be set.
3. To set the policy on ` <dir_to_set_policy_on>` using a
                        `<user_key_ref_file_path>` identifier, run the following
                    command:

        lefbe_setpolicy -s <user_key_ref_file_path> <dir_to_set_policy_on>Copy to clipboard
4. To create a file `<filename>` with content
                        `<string>` in the encrypted directory
                        `<dir_to_set_policy_on>`, run the following
                        command:

        echo "<string>" > <mountpoint>/<dir_to_set_policy_on>/<filename>Copy to clipboard

    Both
                        the filename and content will be encrypted.
5. To evict (remove) the key from the kernel keyring using the file path
                        &lt;user\_key\_ref\_file\_path&gt; in which the identifier is
                    stored, run the following command:

        install_and_evict -e <user_key_ref_file_path>Copy to clipboard

    Once,
                        this command is executed successfully you will see the file
                            &lt;filename&gt; with the content
                            `<string>` created as a garbage value.
6. To evict the key from the kernel keyring using the hex value of the identifier
                        `<Identifier_hex_value>`, run the following
                        command:

        install_and_evict -i <Identifier_hex_value>Copy to clipboard

    If
                        this command is executed successfully, you will see the filename as a
                        garbage value, which is created in the directory on which the policy is set
                        using the identifier.
7. To see the actual filename and its content, you have to re-install the same key
                    into the keyring by running the following
                    command:

        install_and_evict -k <user_key_file_path> <user_key_ref_file_path>Copy to clipboard

Note: 
                
The `install_and_evict` service can also be used to evict the boot
                    key either using `-i` or `-e` option.

**Parent Topic:** [File-based encryption (Linux Embedded)](https://docs.qualcomm.com/doc/80-88500-2/topic/file_based_encryption_linux_enabled.html)

Last Published: Aug 18, 2023

[Previous Topic
Install boot key](https://docs.qualcomm.com/bundle/publicresource/80-88500-2/topics/boot_key_installation.md) [Next Topic
State of device](https://docs.qualcomm.com/bundle/publicresource/80-88500-2/topics/state_of_device_linux_embedded.md)