Method: privilegedprivatekeydecrypt

    • Decrypts data exported from Google, like takeout, without checking private key ACLs.

    • Uses a POST request to the /privilegedprivatekeydecrypt endpoint, providing authentication and encryption details in the request body.

    • Returns the base64-encoded data encryption key upon successful decryption, which is used for client-side decryption of the message body.

    • In case of failure, the API returns a structured error reply.

    Decrypts without checking the wrapped private key ACL. It's used to decrypt the data exported ( takeout ) from Google.

    HTTP request

    POST https:// KACLS_URL /privilegedprivatekeydecrypt

    Replace KACLS_URL with the Key Access Control List Service (KACLS) URL.

    Path parameters

    None.

    Request body

    The request body contains data with the following structure:

    JSON representation 
     { 
 "authentication" 
 : 
 string 
 , 
 "algorithm" 
 : 
 string 
 , 
 "encrypted_data_encryption_key" 
 : 
 string 
 , 
 "rsa_oaep_label" 
 : 
 string 
 , 
 "reason" 
 : 
 string 
 , 
 "spki_hash" 
 : 
 string 
 , 
 "spki_hash_algorithm" 
 : 
 string 
 , 
 "wrapped_private_key" 
 : 
 string 
 }
    Fields
    authentication

    string

    A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens .
    algorithm

    string

    The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption.
    encrypted_data_encryption_key

    string (UTF-8)

    Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB.
    rsa_oaep_label

    string

    Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored.
    reason

    string (UTF-8)

    A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
    spki_hash

    string

    Standard base64-encoded digest of the DER-encoded SubjectPublicKeyInfo of the private key being accessed.
    spki_hash_algorithm

    string

    Algorithm used to produce spki_hash . Can be "SHA-256".
    wrapped_private_key

    string

    The base64-encoded wrapped private key. Max size: 8 KB.

    Response body

    If successful, this method returns the base64 data encryption key. This key is used client-side to decrypt the message body.

    If the operation fails, a structured error reply is returned.

    JSON representation 
     { 
 "data_encryption_key" 
 : 
 string 
 }
    Fields
    data_encryption_key

    string

    A base64-encoded data encryption key.

    Example

    This example provides a sample request and response for the privilegedprivatekeydecrypt method.

    Request

      POST 
  
 h 
 tt 
 ps 
 : 
 //mykacls.example.org/v1/privilegedprivatekeydecrypt 
 { 
  
 "wrapped_private_key" 
 : 
  
 "wHrlNOTI9mU6PBdqiq7EQA..." 
 , 
  
 "encrypted_data_encryption_key" 
 : 
  
 "dGVzdCB3cmFwcGVkIGRlaw..." 
 , 
  
 "authentication" 
 : 
  
 "eyJhbGciOi..." 
 , 
  
 "spki_hash" 
 : 
  
 "LItGzrmjSFD57QdrY1dcLwYmSwBXzhQLAA6zVcen+r0=" 
 , 
  
 "spki_hash_algorithm" 
 : 
  
 "SHA-256" 
 , 
  
 "algorithm" 
 : 
  
 "RSA/ECB/PKCS1Padding" 
 , 
  
 "reason" 
 : 
  
 "admin decrypt" 
 }

    Response

      { 
  
 "data_encryption_key" 
 : 
  
 "akRQtv3nr+jUhcFL6JmKzB+WzUxbkkMyW5kQsqGUAFc" 
 }
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: