Method: privilegedprivatekeydecrypt

Decrypts without checking the wrapped private key ACL. It's used to decrypt the data exported (takeout) from Google.

HTTP request

POST https://BASE_URL/privilegedprivatekeydecrypt

Replace BASE_URL with the base URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{ "authentication": string, "algorithm": string, "encrypted_data_encryption_key": string, "rsa_oaep_label": string, "reason": string, "spki_hash": string, "spki_hash_algorithm": string, "wrapped_private_key": string }

JSON representation

{
  "authentication": string,
  "algorithm": string,
  "encrypted_data_encryption_key": string,
  "rsa_oaep_label": string,
  "reason": string,
  "spki_hash": string,
  "spki_hash_algorithm": string,
  "wrapped_private_key": string
}

Fields
`authentication`	`string` A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens.
`algorithm`	`string` The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption.
`encrypted_data_encryption_key`	`string (UTF-8)` Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB.
`rsa_oaep_label`	`string` Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored.
`reason`	`string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
`spki_hash`	`string` Standard base64-encoded digest of the DER-encoded `SubjectPublicKeyInfo` of the private key being accessed.
`spki_hash_algorithm`	`string` Algorithm used to produce `spki_hash`. Can be "SHA-256".
`wrapped_private_key`	`string` The base64-encoded wrapped private key. Max size: 8 KB.

Response body

If successful, this method returns the base64 data encryption key. This key is used client-side to decrypt the message body.

If the operation fails, a structured error reply is returned.

JSON representation
{ "data_encryption_key": string }

Fields

Fields
`data_encryption_key`	`string` A base64-encoded data encryption key.

data_encryption_key

string

A base64-encoded data encryption key.

Example

This example provides a sample request and response for the privilegedprivatekeydecrypt method.

Request

POST https://mykacls.example.org/v1/privilegedprivatekeydecrypt

{
  "wrapped_private_key": "wHrlNOTI9mU6PBdqiq7EQA...",
  "encrypted_data_encryption_key": "dGVzdCB3cmFwcGVkIGRlaw...",
  "authentication": "eyJhbGciOi...",
  "spki_hash": "LItGzrmjSFD57QdrY1dcLwYmSwBXzhQLAA6zVcen+r0=",
  "spki_hash_algorithm": "SHA-256",
  "algorithm": "RSA/ECB/PKCS1Padding",
  "reason": "admin decrypt"
}

Response

{
  "data_encryption_key": "akRQtv3nr+jUhcFL6JmKzB+WzUxbkkMyW5kQsqGUAFc"
}