A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens.
algorithm
string
The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption.
encrypted_data_encryption_key
string (UTF-8)
Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB.
rsa_oaep_label
string
Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored.
reason
string (UTF-8)
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
spki_hash
string
Standard base64-encoded digest of the DER-encoded SubjectPublicKeyInfo of the private key being accessed.
spki_hash_algorithm
string
Algorithm used to produce spki_hash. Can be "SHA-256".
wrapped_private_key
string
The base64-encoded wrapped private key. Max size: 8 KB.
Response body
If successful, this method returns the base64 data encryption key. This key is
used client-side to decrypt the message body.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-24 UTC."],[[["\u003cp\u003eDecrypts data exported from Google, like takeout, without checking private key ACLs.\u003c/p\u003e\n"],["\u003cp\u003eUses a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/privilegedprivatekeydecrypt\u003c/code\u003e endpoint, providing authentication and encryption details in the request body.\u003c/p\u003e\n"],["\u003cp\u003eReturns the base64-encoded data encryption key upon successful decryption, which is used for client-side decryption of the message body.\u003c/p\u003e\n"],["\u003cp\u003eIn case of failure, the API returns a structured error reply.\u003c/p\u003e\n"]]],["This content describes a decryption process for data exported from Google, specifically using the `privilegedprivatekeydecrypt` method. A POST request is sent with a JSON body including an authentication token, encrypted data encryption key, wrapped private key, hashing information, the encryption algorithm, and a reason string. Upon successful decryption, the response returns a base64-encoded data encryption key, which is to be used for decrypting the message body. The data is not decrypted without checking the key's ACL.\n"],null,["Decrypts without checking the wrapped private key ACL. It's used to decrypt the\ndata exported ([takeout](https://support.google.com/a/answer/100458)) from Google.\n\nHTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privilegedprivatekeydecrypt`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List\nService (KACLS) URL.\n\nPath parameters\n\nNone.\n\nRequest body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"algorithm\": string, \"encrypted_data_encryption_key\": string, \"rsa_oaep_label\": string, \"reason\": string, \"spki_hash\": string, \"spki_hash_algorithm\": string, \"wrapped_private_key\": string } ``` |\n\n| Fields ||\n|---------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the identity provider (IdP) asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `algorithm` | `string` The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption. |\n| `encrypted_data_encryption_key` | `string (UTF-8)` Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB. |\n| `rsa_oaep_label` | `string` Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored. |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |\n| `spki_hash` | `string` Standard base64-encoded digest of the DER-encoded `SubjectPublicKeyInfo` of the private key being accessed. |\n| `spki_hash_algorithm` | `string` Algorithm used to produce `spki_hash`. Can be \"SHA-256\". |\n| `wrapped_private_key` | `string` The base64-encoded wrapped private key. Max size: 8 KB. |\n\nResponse body\n\nIf successful, this method returns the base64 data encryption key. This key is\nused client-side to decrypt the message body.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nis returned.\n\n| JSON representation ||\n|-------------------------------------------|---|\n| ``` { \"data_encryption_key\": string } ``` |\n\n| Fields ||\n|-----------------------|------------------------------------------------|\n| `data_encryption_key` | `string` A base64-encoded data encryption key. |\n\nExample\n\nThis example provides a sample request and response for the\n`privilegedprivatekeydecrypt` method.\n\nRequest \n\n POST https://mykacls.example.org/v1/privilegedprivatekeydecrypt\n\n {\n \"wrapped_private_key\": \"wHrlNOTI9mU6PBdqiq7EQA...\",\n \"encrypted_data_encryption_key\": \"dGVzdCB3cmFwcGVkIGRlaw...\",\n \"authentication\": \"eyJhbGciOi...\",\n \"spki_hash\": \"LItGzrmjSFD57QdrY1dcLwYmSwBXzhQLAA6zVcen+r0=\",\n \"spki_hash_algorithm\": \"SHA-256\",\n \"algorithm\": \"RSA/ECB/PKCS1Padding\",\n \"reason\": \"admin decrypt\"\n }\n\nResponse \n\n {\n \"data_encryption_key\": \"akRQtv3nr+jUhcFL6JmKzB+WzUxbkkMyW5kQsqGUAFc\"\n }"]]
