Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, February 9, 2022

tcpkey (8)


tcpkey - Manages the Security Association Database (SADB) for TCP


tcpkey [ -nvp ]
tcpkey [ -nv ] -f filename
tcpkey -c filename
tcpkey [-nvp ] [ delete | get ] { EXTENSION value.. }
tcpkey [ -nvp ] flush
tcpkey [-nvp ] dump
tcpkey [-nv] -s filename


The tcpkey command is used to manually manipulate the tcp(4P) security association database.

tcpkey uses a PF_KEY socket and the message types SADB_ADD, SADB_DELETE, SADB_GET, SADB_UPDATE, and SADB_FLUSH. Thus, you must have the {PRIV_SYS_IP_CONFIG} privilege or Network TCP Key Management rights profile to use this command.


The following options are supported:

–c [filename]

Analogous to the –f option, except that the input is not executed but only checked for syntactical correctness. Errors are reported to stderr.

–f [filename]

Reads commands from an input file. The lines of the input file are identical to the command line language.


Prevents attempts to print host and network names symbolically when reporting actions. This is useful, when all the name servers are down or are not reachable.


Paranoid. Does not print any keying material. Instead of an actual hexadecimal digit, it prints an X when this flag is turned on.

–s [filename]

The opposite of the –f option. If '-' is given for a filename, then the output goes to the standard output. A snapshot of all current entries will be output in a form readable by the –f option.


Verbose. Prints the messages being sent to the PF_KEY socket, and prints raw seconds values for lifetimes.

Sub Commands

The following subcommands are supported:


Adds an SA. The add subcommand involves the transfer of keying material, and therefore it cannot be invoked from the shell, lest the keys are visible in ps(1) output. It can be used either from the interactive tcpkey> prompt or in a command file specified by the –f option. The add subcommand accepts all extension-value pairs described below.


Deletes a specific SA. If the SA is in use, it will be marked delete and will not be used for a new connection setup, whereas, any existing connections will continue to use it.


Looks up and displays a security association.


Removes all SAs.


Displays all SAs.


Prints a help message.


Commands like add, delete, get, and update require certain extensions and associated values to be specified.

auth_alg <string>

Specifies the authentication algorithm. Currently only md5 is supported

src address | name
src6 IPv6 address

Source address of the SA.

dst <addr>|<name>
dst6 IPv6 address

Destination address of the SA.

sport <portnum>

Source port number

dport <portnum>

Destination port number

authstring <string>

MD5 authentication string. If the string contains space, it must be enclosed in double quotes. Only ASCII characters are supported, and hexadecimal keys are not supported. Maximum string length can be 128 characters.

SAs can only be setup between the same inet family.


Example 1 Emptying all SAs

The following example shows how to empty all SAs.

example# tcpkey flush
Example 2 Adding an SA

The following example shows how to add an SA.

example# tcpkey
tcpkey> add src dst dport 32000 authalg md5 \
        authstring sunmicro
tcpkey> exit
Example 3 Displaying all SAs

The following example shows to display all SAs.

example# tcpkey dump
     Base message (version 2) type DUMP, SA type TCP Signature.
     Message length 576 bytes, seq=2, pid=100939.
     SA: Authentication algorithm = MD5
     SRC: Source address (proto=6/tcp)
     SRC: AF_INET: port 0, <unknown>.
     DST: Destination address (proto=6/tcp)
     DST: AF_INET: port 32000, <unknown>.
     AST: Authentication string.
     AST: sunmicro



Default configuration file used at boot time. See "Service Management Facility" and SECURITY for more information.


See attributes(7) for descriptions of the following attributes:

Interface Stability

See Also