Stay organized with collections
Save and categorize content based on your preferences.
This method helps you migrate from the old Key Access Control List Service
(KACLS1) to the newer KACLS (KACLS2). It takes a Data Encryption Key (DEK)
wrapped with KACLS1's wrap API, and returns a
DEK wrapped with KACLS2's wrap API.
HTTP request
POST https://KACLS_URL/rewrap
Replace KACLS_URL with the Key Access Control List
Service (KACLS) URL.
Path parameters
None.
Request body
The request body contains data with the following structure:
A JWT asserting that the user is allowed to unwrap a key for resource_name. See authorization tokens.
original_kacls_url
string
URL of current wrapped_key's KACLS.
reason
string (UTF-8)
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
If successful, this method returns an opaque binary object that will be stored
by Google Workspace along the encrypted object and sent as-is in any subsequent
key unwrapping operation. It should also return the base64-encoded
resource_key_hash.
The binary object should contain the only copy of the encrypted DEK,
implementation specific data can be stored in it.
Don't store the DEK in your KACLS system, instead encrypt it and return it in
the wrapped_key object. This prevents lifetime discrepancies between the
document and its keys. For example, to ensure that the user's data is fully
wiped out when they request it, or to make sure that previous versions restored
from a backup will be decryptable.
Google won't send deletion requests to the KACLS when objects are deleted.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-24 UTC."],[[["\u003cp\u003eThis method facilitates migrating from the older Key Access Control List Service (KACLS1) to the newer KACLS (KACLS2) by converting Data Encryption Keys (DEKs) wrapped with KACLS1 to be wrapped with KACLS2.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003erewrap\u003c/code\u003e method requires an authorization token, the original KACLS URL, a reason for the operation, and the KACLS1-wrapped DEK in the request body.\u003c/p\u003e\n"],["\u003cp\u003eA successful response provides a KACLS2-wrapped DEK and a resource key hash, ensuring the encrypted data remains accessible and manageable within Google Workspace.\u003c/p\u003e\n"],["\u003cp\u003eKACLS providers should encrypt and return the DEK within the \u003ccode\u003ewrapped_key\u003c/code\u003e object to prevent lifetime discrepancies and ensure data integrity.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Workspace doesn't send deletion requests to KACLS when objects are deleted, implying KACLS providers manage key lifecycles independently.\u003c/p\u003e\n"]]],["The `rewrap` method migrates data encryption keys (DEKs) from KACLS1 to KACLS2. It requires a `POST` request to the KACLS URL, including a JSON body with the `authorization`, `original_kacls_url`, `reason`, and the KACLS1-wrapped `wrapped_key`. The successful response returns a KACLS2-wrapped `wrapped_key` and `resource_key_hash`, which should be stored with the encrypted object. The DEK should only exist in its encrypted state, and not stored in the KACLS.\n"],null,["This method helps you migrate from the old Key Access Control List Service\n(KACLS1) to the newer KACLS (KACLS2). It takes a Data Encryption Key (DEK)\nwrapped with KACLS1's [`wrap`](/workspace/cse/reference/wrap) API, and returns a\nDEK wrapped with KACLS2's [`wrap`](/workspace/cse/reference/wrap) API.\n\nHTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/rewrap`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List\nService (KACLS) URL.\n\nPath parameters\n\nNone.\n\nRequest body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|------------------------------------------------------------------------------------------------------------|---|\n| ``` { \"authorization\": string, \"original_kacls_url\": string, \"reason\": string, \"wrapped_key\": string } ``` |\n\n| Fields ||\n|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authorization` | `string` A JWT asserting that the user is allowed to unwrap a key for `resource_name`. See [authorization tokens](/workspace/cse/reference/authorization-tokens). |\n| `original_kacls_url` | `string` URL of current wrapped_key's KACLS. |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |\n| `wrapped_key` | `string` The base64 binary object returned by [`wrap`](/workspace/cse/reference/wrap). |\n\nResponse body\n\nIf successful, this method returns an opaque binary object that will be stored\nby Google Workspace along the encrypted object and sent as-is in any subsequent\nkey unwrapping operation. It should also return the base64-encoded\n[resource_key_hash](/workspace/cse/reference/resource-key-hash).\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nshould be returned.\n\nThe binary object should contain the only copy of the encrypted DEK,\nimplementation specific data can be stored in it.\n\nDon't store the DEK in your KACLS system, instead encrypt it and return it in\nthe `wrapped_key` object. This prevents lifetime discrepancies between the\ndocument and its keys. For example, to ensure that the user's data is fully\nwiped out when they request it, or to make sure that previous versions restored\nfrom a backup will be decryptable.\n\nGoogle won't send deletion requests to the KACLS when objects are deleted.\n\n| JSON representation ||\n|----------------------------------------------------------------|---|\n| ``` { \"resource_key_hash\": string, \"wrapped_key\": string } ``` |\n\n| Fields ||\n|---------------------|-------------------------------------------------------------------------------------------------------------|\n| `resource_key_hash` | `string` base64 encoded binary object. See [resource key hash](/workspace/cse/reference/resource-key-hash). |\n| `wrapped_key` | `string` The base64-encoded binary object. Max size: 1 KB. |\n\nExample\n\nThis example provides a sample request and response for the `rewrap` method.\n\nRequest \n\n POST https://mykacls.example.com/v1/rewrap\n\n {\n \"wrapped_key\": \"7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==\",\n \"authorization\": \"eyJhbGciOi...\",\n \"original_kacls_url\": \"https://original.example.com/kacls/v1\",\n \"reason\": \"{client:'drive' op:'read'}\"\n }\n\nResponse \n\n {\n \"wrapped_key\": \"3qTh6Mp+svPwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==\",\n \"resource_key_hash\": \"SXOyPekBAUI95zuZSuJzsBlK4nO5SuJK4nNCPem5SuI=\"\n }"]]
