Method: privilegedunwrap
Stay organized with collections
Save and categorize content based on your preferences.
Decrypts data exported from Google in a privileged context. Previously known as
TakeoutUnwrap. Returns the Data Encryption Key (DEK) that was wrapped using
wrap without checking the original document
or file access control list (ACL). For an example use case, see:
Google Takeout.
HTTP request
POST https://KACLS_URL/privilegedunwrap
Replace KACLS_URL with the Key Access Control List Service (KACLS)
URL.
Path parameters
None.
Request body
The request body contains data with the following structure:
| JSON representation |
{
"authentication": string,
"reason": string,
"resource_name": string,
"wrapped_key": string
}
|
| Fields |
authentication |
string
A JWT issued by the IdP asserting who the user is. See authentication tokens.
|
reason |
string (UTF-8)
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Maximum size: 1 KB.
|
resource_name |
string (UTF-8)
An identifier for the object encrypted by the DEK. This value must match the resource_name used to wrap the key. Maximum size: 128 bytes.
|
wrapped_key |
string
The base64 binary object returned by wrap.
|
Response body
If successful, this method returns the document encryption key.
If the operation fails, a
structured error reply
should be returned.
| JSON representation |
{
"key": string
}
|
| Fields |
key |
string
The base64-encoded DEK.
|
Example
This example provides a sample request and response for the privilegedunwrap
method.
Request
POST https://mykacls.example.com/v1/takeout_unwrap
{
"wrapped_key": "7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==",
"authentication": "eyJhbGciOi…"
"reason": "{client:'takeout' op:'read'}"
"resource_name": "item123"
}
Response
{
"key": "0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ="
}
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-11-14 UTC.
[null,null,["Last updated 2024-11-14 UTC."],[[["\u003cp\u003eDecrypts data exported from Google Takeout in a privileged context, bypassing standard access controls.\u003c/p\u003e\n"],["\u003cp\u003eRequires a JWT for authentication and identifies the encrypted object with a resource name.\u003c/p\u003e\n"],["\u003cp\u003eReturns the Data Encryption Key (DEK) used to encrypt the data, allowing privileged access to its content.\u003c/p\u003e\n"],["\u003cp\u003eUses a specific request body structure containing authentication, reason, resource name, and the wrapped key.\u003c/p\u003e\n"]]],["The `privilegedunwrap` method decrypts data exported from Google. It requires a POST request to the KACLS URL with a JSON body containing the `wrapped_key`, `authentication` JWT, `reason` string, and `resource_name`. This method returns the base64-encoded Data Encryption Key (DEK) without verifying document or file access control. The `wrapped_key` is a base64 binary object. The `resource_name` must match the value used during the key wrapping process. Upon success, the response contains the decrypted DEK as a base64 string.\n"],null,["# Method: privilegedunwrap\n\nDecrypts data exported from Google in a privileged context. Previously known as\n`TakeoutUnwrap`. Returns the Data Encryption Key (DEK) that was wrapped using\n[`wrap`](/workspace/cse/reference/wrap) without checking the original document\nor file access control list (ACL). For an example use case, see:\n[Google Takeout](https://support.google.com/a/answer/100458).\n\n### HTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privilegedunwrap`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List Service (KACLS)\nURL.\n\n### Path parameters\n\nNone.\n\n### Request body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|--------------------------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"reason\": string, \"resource_name\": string, \"wrapped_key\": string } ``` |\n\n| Fields ||\n|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the IdP asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Maximum size: 1 KB. |\n| `resource_name` | `string (UTF-8)` An identifier for the object encrypted by the DEK. This value must match the `resource_name` used to wrap the key. Maximum size: 128 bytes. |\n| `wrapped_key` | `string` The base64 binary object returned by [`wrap`](/workspace/cse/reference/wrap). |\n\n### Response body\n\nIf successful, this method returns the document encryption key.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nshould be returned.\n\n| JSON representation ||\n|---------------------------|---|\n| ``` { \"key\": string } ``` |\n\n| Fields ||\n|-------|----------------------------------|\n| `key` | `string` The base64-encoded DEK. |\n\n### Example\n\nThis example provides a sample request and response for the `privilegedunwrap`\nmethod.\n\n#### Request\n\n POST https://mykacls.example.com/v1/takeout_unwrap\n\n {\n \"wrapped_key\": \"7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==\",\n \"authentication\": \"eyJhbGciOi...\"\n \"reason\": \"{client:'takeout' op:'read'}\"\n \"resource_name\": \"item123\"\n }\n\n#### Response\n\n {\n \"key\": \"0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ=\"\n }"]]
