Method: privilegedprivatekeydecrypt

Decrypts without checking the wrapped private key ACL. It's used to decrypt the data exported (takeout) from Google.

HTTP request

POST https://BASE_URL/privilegedprivatekeydecrypt

Replace BASE_URL with the base URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{
  "authentication": string,
  "algorithm": string,
  "encrypted_data_encryption_key": string,
  "rsa_oaep_label": string,
  "reason": string,
  "spki_hash": string,
  "spki_hash_algorithm": string,
  "wrapped_private_key": string
}
Fields
authentication

string

A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens.

algorithm

string

The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption.

encrypted_data_encryption_key

string (UTF-8)

Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB.

rsa_oaep_label

string

Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored.

reason

string (UTF-8)

A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.

spki_hash

string

Standard base64-encoded digest of the DER-encoded SubjectPublicKeyInfo of the private key being accessed.

spki_hash_algorithm

string

Algorithm used to produce spki_hash. Can be "SHA-256".

wrapped_private_key

string

The base64-encoded wrapped private key. Max size: 8 KB.

Response body

If successful, this method returns the base64 data encryption key. This key is used client-side to decrypt the message body.

If the operation fails, a structured error reply is returned.

JSON representation
{
  "data_encryption_key": string
}
Fields
data_encryption_key

string

A base64-encoded data encryption key.

Example

This example provides a sample request and response for the privilegedprivatekeydecrypt method.

Request

POST https://mykacls.example.org/v1/privilegedprivatekeydecrypt

{
  "wrapped_private_key": "wHrlNOTI9mU6PBdqiq7EQA...",
  "encrypted_data_encryption_key": "dGVzdCB3cmFwcGVkIGRlaw...",
  "authentication": "eyJhbGciOi...",
  "spki_hash": "LItGzrmjSFD57QdrY1dcLwYmSwBXzhQLAA6zVcen+r0=",
  "spki_hash_algorithm": "SHA-256",
  "algorithm": "RSA/ECB/PKCS1Padding",
  "reason": "admin decrypt"
}

Response

{
  "data_encryption_key": "akRQtv3nr+jUhcFL6JmKzB+WzUxbkkMyW5kQsqGUAFc"
}