# Insert standard key

Source: [https://docs.qualcomm.com/doc/80-88500-2/topic/standard_key_linux_embedded.html](https://docs.qualcomm.com/doc/80-88500-2/topic/standard_key_linux_embedded.html)

This section explains how the FBE is validated using the `fscryptctl` test
            utility.

To insert the standard key, perform the following steps:
1. To insert the standard key into the kernel keyring and get an identifier, run
                    the following command:

        fscryptctl insert_key <options> <mountpoint> <std_key_file_location>Copy to clipboard

Where:
    - The `options` are either `--ext4` or
                                `--f2fs`.

    - The `mountpoint` is a file on which the user data is
                            mounted, for example, /overlay on Linux Embedded
                            and /data on Linux Android.

    - The `std_key_file_location` is the file path where the
                            standard key is stored.
2. To create a directory that must be encrypted in the mount point, run the
                    following command:

        mkdir <mountpoint>/<dir_to_encrypt>Copy to clipboard

Where:
    - The `mountpoint` is a file on which the user data is
                            mounted, for example, /overlay on Linux Embedded
                            and /data on Linux Android.

    - The dir\_to\_encrypt is the name of the directory,
                            which must be on set policy to encrypt its content.
3. To set the policy on the directory created in step 2, run the following
                    command:

        fscryptctl  set_policy  --identifier=<Hex_valued_identifier>  <path_to_dir_to_encrypt>Copy to clipboard

Where:
    - The `Hex_valued_identifier` identifier is returned by the
                                `insert_key` command mentioned in step 1.

    - The `path_to_dir_to_encryp` directory is the absolute
                            path, which is created in step 2.
4. To verify whether the policy is set successfully or not, run the following
                    command:

        fscryptctl  get_policy  <path_to_dir_to_encrypt>Copy to clipboard
5. To create a file with some content in the directory to which the policy is set,
                    run the following
                    command:

        echo  "<string>" >  <path_to_dir_to_encrypt>/<filename>Copy to clipboard
6. To remove the key from the keyring, run the following
                    command:

        fscryptctl  remove_key  --identifier=<Hex_valued_identifier>  --mountpoint=<mountpoint>Copy to clipboard
7. To verify the filename and to ensure that it is set to a garbage value, run the
                    following
                        commands:

        ls  <path_to_dir_to_encrypt>Copy to clipboard

        cat  <path_to_dir_to_encrypt>/<garbage_file_name>Copy to clipboard

    If
                        you `cat` the content of the file or create a new file with
                        the content, it must say "required key not available".
8. To see the actual filename and its content in the same boot, you have to
                    re-install the key by running the following
                    command:

        fscryptctl insert_key <options> <mountpoint> <std_key_file_location>Copy to clipboard

**Parent Topic:** [File-based encryption (Linux Embedded)](https://docs.qualcomm.com/doc/80-88500-2/topic/file_based_encryption_linux_enabled.html)

Last Published: Aug 18, 2023

[Previous Topic
State of device](https://docs.qualcomm.com/bundle/publicresource/80-88500-2/topics/state_of_device_linux_embedded.md) [Next Topic
Insert wrapped key](https://docs.qualcomm.com/bundle/publicresource/80-88500-2/topics/insert_wrapped_key_linux_embedded.md)