Method: privatekeydecrypt

Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key.

HTTP request

POST https://BASE_URL/privatekeydecrypt

Replace BASE_URL with the base URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{
  "authentication": string,
  "authorization": string,
  "algorithm": string,
  "encrypted_data_encryption_key": string,
  "rsa_oaep_label": string,
  "reason": string,
  "wrapped_private_key": string
}
Fields
authentication

string

A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens.

authorization

string

A JWT asserting that the user is allowed to unwrap a key for resource_name. See authorization tokens.

algorithm

string

The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption.

encrypted_data_encryption_key

string (UTF-8)

Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB.

rsa_oaep_label

string

Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored.

reason

string (UTF-8)

A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.

wrapped_private_key

string

The base64-encoded wrapped private key. Max size: 8 KB.

Response body

If successful, this method returns a base64 data encryption key.

If the operation fails, a structured error reply is returned.

JSON representation
{
  "data_encryption_key": string
}
Fields
data_encryption_key

string

A base64-encoded data encryption key.

Example

This example provides a sample request and response for the privatekeydecrypt method.

Request

POST https://mykacls.example.org/v1/privatekeydecrypt

{
  "wrapped_private_key": "wHrlNOTI9mU6PBdqiq7EQA...",
  "encrypted_data_encryption_key": "dGVzdCB3cmFwcGVkIGRlaw...",
  "authorization": "eyJhbGciOi...",
  "authentication": "eyJhbGciOi...",
  "algorithm": "RSA/ECB/PKCS1Padding",
  "reason": "decrypt"
}

Response

{
  "data_encryption_key": "akRQtv3nr+jUhcFL6JmKzB+WzUxbkkMyW5kQsqGUAFc="
}