A JWT asserting that the user is allowed to wrap a key for resource_name. See authorization tokens.
key
string
The base64-encoded DEK. Max size: 128 bytes.
reason
string (UTF-8)
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
Response body
If successful, this method returns an opaque binary object that will be stored
by Google Workspace along the encrypted object and sent as-is in any subsequent
key unwrapping operation.
The binary object should contain the only copy of the encrypted DEK,
implementation specific data can be stored in it.
Don't store the DEK in the Key Access Control List Service (KACLS) system,
instead encrypt it and return it in the wrapped_key object. This prevents
lifetime discrepancies between the document and its keys. For example, to ensure
that the user's data is fully wiped out when they request it, or to make sure
that previous versions restored from a backup are decryptable.
JSON representation
{"wrapped_key": string}
Fields
wrapped_key
string
The base64-encoded binary object. Max size: 1 KB.
Example
This example provides a sample request and response for the wrap method.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-14 UTC."],[[["\u003cp\u003eReturns an encrypted Data Encryption Key (DEK) along with associated data for secure storage and later retrieval.\u003c/p\u003e\n"],["\u003cp\u003eThe request body requires authentication, authorization, the base64-encoded DEK, and an optional reason for the operation.\u003c/p\u003e\n"],["\u003cp\u003eThe response provides a wrapped key containing the encrypted DEK, which should be stored securely by the application.\u003c/p\u003e\n"],["\u003cp\u003eThe KACLS system itself does not store the DEK, ensuring data security and preventing lifetime discrepancies.\u003c/p\u003e\n"],["\u003cp\u003eRefer to the provided links for detailed information on encrypting and decrypting data, authentication tokens, and authorization tokens.\u003c/p\u003e\n"]]],["The `wrap` method encrypts a Data Encryption Key (DEK) and returns it as a base64-encoded binary object (`wrapped_key`). The request includes authentication and authorization JWTs, the base64-encoded DEK (`key`), and a JSON string (`reason`) for context. The response contains only the `wrapped_key`. The service should not store the DEK; the returned object is the only copy of the encrypted DEK. Deletion requests for the objects are not sent to the KACLS.\n"],null,["Returns encrypted Data Encryption Key (DEK) and associated data.\n\nFor more details, see [Encrypt \\& decrypt data](/workspace/cse/guides/encrypt-and-decrypt-data).\n\nHTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/wrap`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List\nService (KACLS)\nURL.\n\nPath parameters\n\nNone.\n\nRequest body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|------------------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"authorization\": string, \"key\": string, \"reason\": string } ``` |\n\n| Fields ||\n|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the IdP asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `authorization` | `string` A JWT asserting that the user is allowed to wrap a key for `resource_name`. See [authorization tokens](/workspace/cse/reference/authorization-tokens). |\n| `key` | `string` The base64-encoded DEK. Max size: 128 bytes. |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |\n\nResponse body\n\nIf successful, this method returns an opaque binary object that will be stored\nby Google Workspace along the encrypted object and sent as-is in any subsequent\nkey unwrapping operation.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nshould be returned.\n\nThe binary object should contain the only copy of the encrypted DEK,\nimplementation specific data can be stored in it.\n\nDon't store the DEK in the Key Access Control List Service (KACLS) system,\ninstead encrypt it and return it in the wrapped_key object. This prevents\nlifetime discrepancies between the document and its keys. For example, to ensure\nthat the user's data is fully wiped out when they request it, or to make sure\nthat previous versions restored from a backup are decryptable.\n| **Note:** Google doesn't send deletion requests to the KACLS when objects are deleted.\n\n| JSON representation ||\n|-----------------------------------|---|\n| ``` { \"wrapped_key\": string } ``` |\n\n| Fields ||\n|---------------|------------------------------------------------------------|\n| `wrapped_key` | `string` The base64-encoded binary object. Max size: 1 KB. |\n\nExample\n\nThis example provides a sample request and response for the `wrap` method.\n\nRequest \n\n POST https://mykacls.example.com/v1/wrap\n\n {\n \"key\":\"wHrlNOTI9mU6PBdqiq7EQA==\",\n \"authorization\": \"eyJhbGciOi...\"\n \"authentication\": \"eyJhbGciOi...\"\n \"reason\": \"{client:'drive' op:'update'}\"\n }\n\nResponse \n\n {\n \"wrapped_key\": \"3qTh6Mp+svPwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==\"\n }"]]