Method: privatekeydecrypt

Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key.

HTTP request

POST https://BASE_URL/privatekeydecrypt

Replace BASE_URL with the base URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{ "authentication": string, "authorization": string, "algorithm": string, "encrypted_data_encryption_key": string, "rsa_oaep_label": string, "reason": string, "wrapped_private_key": string }

Fields
`authentication`	`string` A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens.
`authorization`	`string` A JWT asserting that the user is allowed to unwrap a key for `resource_name`. See authorization tokens.
`algorithm`	`string` The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption.
`encrypted_data_encryption_key`	`string (UTF-8)` Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB.
`rsa_oaep_label`	`string` Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored.
`reason`	`string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
`wrapped_private_key`	`string` The base64-encoded wrapped private key. Max size: 8 KB.

Response body

If successful, this method returns a base64 data encryption key.

If the operation fails, a structured error reply is returned.

JSON representation
{ "data_encryption_key": string }

Fields

Fields
`data_encryption_key`	`string` A base64-encoded data encryption key.

data_encryption_key

string

A base64-encoded data encryption key.

Example

This example provides a sample request and response for the privatekeydecrypt method.

Request

POST https://mykacls.example.org/v1/privatekeydecrypt

{
  "wrapped_private_key": "wHrlNOTI9mU6PBdqiq7EQA...",
  "encrypted_data_encryption_key": "dGVzdCB3cmFwcGVkIGRlaw...",
  "authorization": "eyJhbGciOi...",
  "authentication": "eyJhbGciOi...",
  "algorithm": "RSA/ECB/PKCS1Padding",
  "reason": "decrypt"
}

Response

{
  "data_encryption_key": "akRQtv3nr+jUhcFL6JmKzB+WzUxbkkMyW5kQsqGUAFc="
}