Method: privilegedwrap

Returns a wrapped Data Encryption Key (DEK) and associated data. Use this method to encrypt data imported to Google Drive in bulk by a domain administrator.

For more details, see Encrypt & decrypt data.

HTTP request

POST https://BASE_URL/privilegedwrap

Replace BASE_URL with the base URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{ "authentication": string, "key": string, "perimeter_id": string, "reason": string, "resource_name": string }

Fields
`authentication`	`string` A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens.
`key`	`string` The base64-encoded DEK. Max size: 128 bytes.
`perimeter_id`	`string (UTF-8)` An optional value tied to the document location that can be used to choose which perimeter is checked when unwrapping.
`reason`	`string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
`resource_name`	`string (UTF-8)` An identifier for the object encrypted by the DEK.

Response body

If successful, this method returns an opaque binary object that is stored by Google Workspace along the encrypted object and sent as-is in any subsequent key unwrapping operation.

If the operation fails, a structured error reply is returned.

The binary object should contain the only copy of the encrypted DEK, implementation specific data can be stored in it.

Don't store the DEK in the Key Access Control List Service (KACLS) system, instead encrypt it and return it in the wrapped_key object. This prevents lifetime discrepancies between the document and its keys. For example, to ensure that the user's data is fully wiped out when they request it, or to make sure that previous versions restored from a backup are decryptable.

JSON representation
{ "wrapped_key": string }

Fields

Fields
`wrapped_key`	`string` The base64-encoded binary object. Max size: 1 KB.

wrapped_key

string

The base64-encoded binary object. Max size: 1 KB.

Example

This example provides a sample request and response for the privilegedwrap method.

Request

POST https://mykacls.example.com/v1/privilegedwrap

{
   "key":"wHrlNOTI9mU6PBdqiq7EQA==",
   "resource_name": "wdwqd…",
   "authentication": "eyJhbGciOi…",
   "reason": "admin import"
}

Response

{
    "wrapped_key": "3qTh6Mp+svPwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg=="
}