The Google Workspace Client-side Encryption (CSE) API lets you own the encryption keys used to further encrypt Google Workspace data.
Methods
| Methods | |
|---|---|
digest |
POST https://KACLS_URL/digest Returns the checksum of an unwrapped DEK. |
privatekeydecrypt |
POST https://KACLS_URL/privatekeydecrypt Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key. |
privatekeysign |
POST https://KACLS_URL/privatekeysign Unwraps a wrapped private key and then signs the digest provided by the client. |
privilegedprivatekeydecrypt |
POST https://KACLS_URL/privilegedprivatekeydecrypt Decrypts without checking the wrapped private key ACL. |
privilegedunwrap |
POST https://KACLS_URL/privilegedunwrap Decrypts data exported from Google in a privileged context. |
privilegedwrap |
POST https://KACLS_URL/privilegedwrap Returns a wrapped Data Encryption Key (DEK) and associated data. |
rewrap |
POST https://KACLS_URL/rewrap Re-encrypts an encrypted DEK. |
status |
GET https://KACLS_URL/status Checks the status of a Key Access Control List Service (KACLS). |
unwrap |
POST https://KACLS_URL/unwrap Returns decrypted DEK. |
wrap |
POST https://KACLS_URL/wrap Returns encrypted DEK and associated data. |
wrapprivatekey |
POST https://KACLS_URL/wrapprivatekey Wraps a user's private key. |
Tokens
| Tokens | |
|---|---|
Authorization |
JWT issued by Google to verify that the caller is authorized to encrypt or decrypt a resource. |
Authentication |
JWT issued by the identity provider that attests user identity. |