Method: privilegedunwrap

Decrypts data exported from Google in a privileged context. Previously known as TakeoutUnwrap. Returns the Data Encryption Key (DEK) that was wrapped using wrap without checking the original document or file access control list (ACL). For an example use case, see: Google Takeout.

HTTP request

POST https://KACLS_URL/privilegedunwrap

Replace KACLS_URL with the Key Access Control List Service (KACLS) URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{ "authentication": string, "reason": string, "resource_name": string, "wrapped_key": string }

Fields
`authentication`	`string` A JWT issued by the IdP asserting who the user is. See authentication tokens.
`reason`	`string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Maximum size: 1 KB.
`resource_name`	`string (UTF-8)` An identifier for the object encrypted by the DEK. This value must match the `resource_name` used to wrap the key. Maximum size: 128 bytes.
`wrapped_key`	`string` The base64 binary object returned by `wrap`.

Response body

If successful, this method returns the document encryption key.

If the operation fails, a structured error reply should be returned.

JSON representation
{ "key": string }

Fields

Fields
`key`	`string` The base64-encoded DEK.

key

string

The base64-encoded DEK.

Example

This example provides a sample request and response for the privilegedunwrap method.

Request

POST https://mykacls.example.com/v1/takeout_unwrap

{
   "wrapped_key": "7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==",
   "authentication": "eyJhbGciOi…"
   "reason": "{client:'takeout' op:'read'}"
   "resource_name": "item123"
}

Response

{
    "key": "0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ="
}