Method: wrap

Returns encrypted Data Encryption Key (DEK) and associated data.

For more details, see Encrypt & decrypt data.

HTTP request

POST https://KACLS_URL/wrap

Replace KACLS_URL with the Key Access Control List Service (KACLS) URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{ "authentication": string, "authorization": string, "key": string, "reason": string }

Fields
`authentication`	`string` A JWT issued by the IdP asserting who the user is. See authentication tokens.
`authorization`	`string` A JWT asserting that the user is allowed to wrap a key for `resource_name`. See authorization tokens.
`key`	`string` The base64-encoded DEK. Max size: 128 bytes.
`reason`	`string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.

Response body

If successful, this method returns an opaque binary object that will be stored by Google Workspace along the encrypted object and sent as-is in any subsequent key unwrapping operation.

If the operation fails, a structured error reply should be returned.

The binary object should contain the only copy of the encrypted DEK, implementation specific data can be stored in it.

Don't store the DEK in the Key Access Control List Service (KACLS) system, instead encrypt it and return it in the wrapped_key object. This prevents lifetime discrepancies between the document and its keys. For example, to ensure that the user's data is fully wiped out when they request it, or to make sure that previous versions restored from a backup are decryptable.

JSON representation
{ "wrapped_key": string }

Fields

Fields
`wrapped_key`	`string` The base64-encoded binary object. Max size: 1 KB.

wrapped_key

string

The base64-encoded binary object. Max size: 1 KB.

Example

This example provides a sample request and response for the wrap method.

Request

POST https://mykacls.example.com/v1/wrap

{
   "key":"wHrlNOTI9mU6PBdqiq7EQA==",
   "authorization": "eyJhbGciOi…"
   "authentication": "eyJhbGciOi…"
   "reason": "{client:'drive' op:'update'}"
}

Response

{
    "wrapped_key": "3qTh6Mp+svPwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg=="
}