Stay organized with collections
Save and categorize content based on your preferences.
Decrypts data exported from Google in a privileged context. Previously known as
TakeoutUnwrap. Returns the Data Encryption Key (DEK) that was wrapped using
wrap without checking the original document
or file access control list (ACL). For an example use case, see:
Google Takeout.
HTTP request
POST https://KACLS_URL/privilegedunwrap
Replace KACLS_URL with the Key Access Control List Service (KACLS)
URL.
Path parameters
None.
Request body
The request body contains data with the following structure:
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Maximum size: 1 KB.
resource_name
string (UTF-8)
An identifier for the object encrypted by the DEK. This value must match the resource_name used to wrap the key. Maximum size: 128 bytes.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-14 UTC."],[[["\u003cp\u003eDecrypts data exported from Google Takeout in a privileged context, bypassing standard access controls.\u003c/p\u003e\n"],["\u003cp\u003eRequires a JWT for authentication and identifies the encrypted object with a resource name.\u003c/p\u003e\n"],["\u003cp\u003eReturns the Data Encryption Key (DEK) used to encrypt the data, allowing privileged access to its content.\u003c/p\u003e\n"],["\u003cp\u003eUses a specific request body structure containing authentication, reason, resource name, and the wrapped key.\u003c/p\u003e\n"]]],["The `privilegedunwrap` method decrypts data exported from Google. It requires a POST request to the KACLS URL with a JSON body containing the `wrapped_key`, `authentication` JWT, `reason` string, and `resource_name`. This method returns the base64-encoded Data Encryption Key (DEK) without verifying document or file access control. The `wrapped_key` is a base64 binary object. The `resource_name` must match the value used during the key wrapping process. Upon success, the response contains the decrypted DEK as a base64 string.\n"],null,["Decrypts data exported from Google in a privileged context. Previously known as\n`TakeoutUnwrap`. Returns the Data Encryption Key (DEK) that was wrapped using\n[`wrap`](/workspace/cse/reference/wrap) without checking the original document\nor file access control list (ACL). For an example use case, see:\n[Google Takeout](https://support.google.com/a/answer/100458).\n\nHTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privilegedunwrap`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List Service (KACLS)\nURL.\n\nPath parameters\n\nNone.\n\nRequest body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|--------------------------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"reason\": string, \"resource_name\": string, \"wrapped_key\": string } ``` |\n\n| Fields ||\n|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the IdP asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Maximum size: 1 KB. |\n| `resource_name` | `string (UTF-8)` An identifier for the object encrypted by the DEK. This value must match the `resource_name` used to wrap the key. Maximum size: 128 bytes. |\n| `wrapped_key` | `string` The base64 binary object returned by [`wrap`](/workspace/cse/reference/wrap). |\n\nResponse body\n\nIf successful, this method returns the document encryption key.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nshould be returned.\n\n| JSON representation ||\n|---------------------------|---|\n| ``` { \"key\": string } ``` |\n\n| Fields ||\n|-------|----------------------------------|\n| `key` | `string` The base64-encoded DEK. |\n\nExample\n\nThis example provides a sample request and response for the `privilegedunwrap`\nmethod.\n\nRequest \n\n POST https://mykacls.example.com/v1/takeout_unwrap\n\n {\n \"wrapped_key\": \"7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==\",\n \"authentication\": \"eyJhbGciOi...\"\n \"reason\": \"{client:'takeout' op:'read'}\"\n \"resource_name\": \"item123\"\n }\n\nResponse \n\n {\n \"key\": \"0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ=\"\n }"]]
