Method: privilegedprivatekeydecrypt

AI-generated Key Takeaways

Decrypts data exported from Google, like takeout, without checking private key ACLs.
Uses a POST request to the /privilegedprivatekeydecrypt endpoint, providing authentication and encryption details in the request body.
Returns the base64-encoded data encryption key upon successful decryption, which is used for client-side decryption of the message body.
In case of failure, the API returns a structured error reply.

Decrypts without checking the wrapped private key ACL. It's used to decrypt the data exported ( takeout ) from Google.

HTTP request

POST https:// KACLS_URL /privilegedprivatekeydecrypt

Replace KACLS_URL with the Key Access Control List Service (KACLS) URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{ "authentication" : string , "algorithm" : string , "encrypted_data_encryption_key" : string , "rsa_oaep_label" : string , "reason" : string , "spki_hash" : string , "spki_hash_algorithm" : string , "wrapped_private_key" : string }

JSON representation

 { 
 "authentication" 
 : 
 string 
 , 
 "algorithm" 
 : 
 string 
 , 
 "encrypted_data_encryption_key" 
 : 
 string 
 , 
 "rsa_oaep_label" 
 : 
 string 
 , 
 "reason" 
 : 
 string 
 , 
 "spki_hash" 
 : 
 string 
 , 
 "spki_hash_algorithm" 
 : 
 string 
 , 
 "wrapped_private_key" 
 : 
 string 
 }

Fields
`authentication`	`string` A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens .
`algorithm`	`string` The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption.
`encrypted_data_encryption_key`	`string (UTF-8)` Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB.
`rsa_oaep_label`	`string` Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored.
`reason`	`string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
`spki_hash`	`string` Standard base64-encoded digest of the DER-encoded `SubjectPublicKeyInfo` of the private key being accessed.
`spki_hash_algorithm`	`string` Algorithm used to produce `spki_hash` . Can be "SHA-256".
`wrapped_private_key`	`string` The base64-encoded wrapped private key. Max size: 8 KB.

Response body

If successful, this method returns the base64 data encryption key. This key is used client-side to decrypt the message body.

If the operation fails, a structured error reply is returned.

JSON representation
{ "data_encryption_key" : string }

Fields

Fields
`data_encryption_key`	`string` A base64-encoded data encryption key.

data_encryption_key

string

A base64-encoded data encryption key.

Example

This example provides a sample request and response for the privilegedprivatekeydecrypt method.

Request

  POST 
  
 h 
 tt 
 ps 
 : 
 //mykacls.example.org/v1/privilegedprivatekeydecrypt 
 { 
  
 "wrapped_private_key" 
 : 
  
 "wHrlNOTI9mU6PBdqiq7EQA..." 
 , 
  
 "encrypted_data_encryption_key" 
 : 
  
 "dGVzdCB3cmFwcGVkIGRlaw..." 
 , 
  
 "authentication" 
 : 
  
 "eyJhbGciOi..." 
 , 
  
 "spki_hash" 
 : 
  
 "LItGzrmjSFD57QdrY1dcLwYmSwBXzhQLAA6zVcen+r0=" 
 , 
  
 "spki_hash_algorithm" 
 : 
  
 "SHA-256" 
 , 
  
 "algorithm" 
 : 
  
 "RSA/ECB/PKCS1Padding" 
 , 
  
 "reason" 
 : 
  
 "admin decrypt" 
 }

Response

  { 
  
 "data_encryption_key" 
 : 
  
 "akRQtv3nr+jUhcFL6JmKzB+WzUxbkkMyW5kQsqGUAFc" 
 }

Method: privilegedprivatekeydecrypt Stay organized with collections Save and categorize content based on your preferences.