9.1. Key attributes

Key attributes are managed in a psa_key_attributes_t object. These are used when a key is created, after which the key attributes are fixed. Attributes of an existing key can be queried using psa_get_key_attributes().

Description of the individual attributes is found in the following sections:

9.1.1. Managing key attributes

psa_key_attributes_t (type)

The type of an object containing key attributes.

typedef /* implementation-defined type */ psa_key_attributes_t;

This is the object that represents the metadata of a key object. Metadata that can be stored in attributes includes:

  • The location of the key in storage, indicated by its key identifier and its lifetime.

  • The key’s policy, comprising usage flags and a specification of the permitted algorithm(s).

  • Information about the key itself: the key type and its size.

  • Implementations can define additional attributes.

The actual key material is not considered an attribute of a key. Key attributes do not contain information that is generally considered highly confidential.


Implementations are recommended to define the attribute object as a simple data structure, with fields corresponding to the individual key attributes. In such an implementation, each function psa_set_key_xxx() sets a field and the corresponding function psa_get_key_xxx() retrieves the value of the field.

An implementations can report attribute values that are equivalent to the original one, but have a different encoding. For example, an implementation can use a more compact representation for types where many bit-patterns are invalid or not supported, and store all values that it does not support as a special marker value. In such an implementation, after setting an invalid value, the corresponding get function returns an invalid value which might not be the one that was originally stored.

This is an implementation-defined type. Applications that make assumptions about the content of this object will result in in implementation-specific behavior, and are non-portable.

An attribute object can contain references to auxiliary resources, for example pointers to allocated memory or indirect references to pre-calculated values. In order to free such resources, the application must call psa_reset_key_attributes(). As an exception, calling psa_reset_key_attributes() on an attribute object is optional if the object has only been modified by the following functions since it was initialized or last reset with psa_reset_key_attributes():

Before calling any function on a key attribute object, the application must initialize it by any of the following means:

A freshly initialized attribute object contains the following values:





key identifier

PSA_KEY_ID_NULL - which is not a valid key identifier.


PSA_KEY_TYPE_NONE - meaning that the type is unspecified.

key size

0 - meaning that the size is unspecified.

usage flags

0 - which allows no usage except exporting a public key.


PSA_ALG_NONE - which does not allow cryptographic usage, but allows exporting.


A typical sequence to create a key is as follows:

  1. Create and initialize an attribute object.

  2. If the key is persistent, call psa_set_key_id(). Also call psa_set_key_lifetime() to place the key in a non-default location.

  3. Set the key policy with psa_set_key_usage_flags() and psa_set_key_algorithm().

  4. Set the key type with psa_set_key_type(). Skip this step if copying an existing key with psa_copy_key().

  5. When generating a random key with psa_generate_key() or deriving a key with psa_key_derivation_output_key(), set the desired key size with psa_set_key_bits().

  6. Call a key creation function: psa_import_key(), psa_generate_key(), psa_key_derivation_output_key() or psa_copy_key(). This function reads the attribute object, creates a key with these attributes, and outputs an identifier for the newly created key.

  7. Optionally call psa_reset_key_attributes(), now that the attribute object is no longer needed. Currently this call is not required as the attributes defined in this specification do not require additional resources beyond the object itself.

A typical sequence to query a key’s attributes is as follows:

  1. Call psa_get_key_attributes().

  2. Call psa_get_key_xxx() functions to retrieve the required attribute(s).

  3. Call psa_reset_key_attributes() to free any resources that can be used by the attribute object.

Once a key has been created, it is impossible to change its attributes.


This macro returns a suitable initializer for a key attribute object of type psa_key_attributes_t.

#define PSA_KEY_ATTRIBUTES_INIT /* implementation-defined value */

psa_key_attributes_init (function)

Return an initial value for a key attribute object.

psa_key_attributes_t psa_key_attributes_init(void);

Returns: psa_key_attributes_t

psa_get_key_attributes (function)

Retrieve the attributes of a key.

psa_status_t psa_get_key_attributes(psa_key_id_t key,
                                    psa_key_attributes_t * attributes);



Identifier of the key to query.


On entry, *attributes must be in a valid state. On successful return, it contains the attributes of the key. On failure, it is equivalent to a freshly-initialized attribute object.

Returns: psa_status_t


The library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.


This function first resets the attribute object as with psa_reset_key_attributes(). It then copies the attributes of the given key into the given attribute object.


This function clears any previous content from the attribute object and therefore expects it to be in a valid state. In particular, if this function is called on a newly allocated attribute object, the attribute object must be initialized before calling this function.


This function might allocate memory or other resources. Once this function has been called on an attribute object, psa_reset_key_attributes() must be called to free these resources.

psa_reset_key_attributes (function)

Reset a key attribute object to a freshly initialized state.

void psa_reset_key_attributes(psa_key_attributes_t * attributes);



The attribute object to reset.

Returns: void


The attribute object must be initialized as described in the documentation of the type psa_key_attributes_t before calling this function. Once the object has been initialized, this function can be called at any time.

This function frees any auxiliary resources that the object might contain.