Wraps a user's private key. This is a privileged operation, and can only be performed by authorized Key Access Control List Service (KACLS) admins. This API is optional. Neither Google nor the Gmail client calls this API. The specification provided is a recommendation, not a requirement.
HTTP request
POST https://KACLS_URL/wrapprivatekey
Replace KACLS_URL with the Key Access Control List
Service (KACLS) URL.
Path parameters
None.
Request body
The request body contains data with the following structure:
| JSON representation | |
|---|---|
{ "authentication": string, "perimeter_id": string, "private_key": string } |
|
| Fields | |
|---|---|
authentication |
A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens. |
perimeter_id |
The perimeter ID to encrypt with the key. |
private_key |
The base64-encoded DEK. Max size: 128 bytes. |
Response body
If successful, this method returns the wrapped private key.
If the operation fails, a structured error reply is returned.
| JSON representation | |
|---|---|
{ "wrapped_private_key": string } |
|
| Fields | |
|---|---|
wrapped_private_key |
The base64-encoded wrapped private key. Max size: 8 KB. |
Example
This example provides a sample request and response for the wrapprivatekey
method.
Request
POST https://mykacls.example.org/v1/wrapprivatekey
{
"private_key": "-----BEGIN RSA PRIVATE KEY-----\\nMIIJ......\\n-----END RSA PRIVATE KEY-----",
"perimeter_id": ""
}
Response
{
"wrapped_private_key": "LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2PG8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hDUT89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxpCxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlRBDyZSFhatPQ==",
}