Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key.
HTTP request
POST https://BASE_URL/privatekeydecrypt
Replace BASE_URL
with the base URL.
Path parameters
None.
Request body
The request body contains data with the following structure:
JSON representation | |
---|---|
{ "authentication": string, "authorization": string, "algorithm": string, "encrypted_data_encryption_key": string, "rsa_oaep_label": string, "reason": string, "wrapped_private_key": string } |
Fields | |
---|---|
authentication |
A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens. |
authorization |
A JWT asserting that the user is allowed to unwrap a key for |
algorithm |
The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption. |
encrypted_data_encryption_key |
Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB. |
rsa_oaep_label |
Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored. |
reason |
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |
wrapped_private_key |
The base64-encoded wrapped private key. Max size: 8 KB. The format of the private key or the wrapped private key is up to the Key Access Control List Service (KACLS) implementation. On the client and on the Gmail side, this is treated as an opaque blob. |
Response body
If successful, this method returns a base64 data encryption key.
If the operation fails, a structured error reply is returned.
JSON representation | |
---|---|
{ "data_encryption_key": string } |
Fields | |
---|---|
data_encryption_key |
A base64-encoded data encryption key. |
Example
This example provides a sample request and response for the privatekeydecrypt
method.
Request
POST https://mykacls.example.org/v1/privatekeydecrypt
{
"wrapped_private_key": "wHrlNOTI9mU6PBdqiq7EQA...",
"encrypted_data_encryption_key": "dGVzdCB3cmFwcGVkIGRlaw...",
"authorization": "eyJhbGciOi...",
"authentication": "eyJhbGciOi...",
"algorithm": "RSA/ECB/PKCS1Padding",
"reason": "decrypt"
}
Response
{
"data_encryption_key": "akRQtv3nr+jUhcFL6JmKzB+WzUxbkkMyW5kQsqGUAFc="
}