Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Google Workspace CSE APIs

Encrypting Private Keys (wrapprivatekey)

search

Please Note:

Encrypting Private Keys (wrapprivatekey)

The POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey API is called to encrypt the end user's private key. This API returns an opaque binary object (wrapped private key) that is uploaded by the user to Google using the Gmail API client libraries.

This is a privileged operation, and can only be performed by authorized CCKM admins. When wrapping a private key, specify any of the following combinations with the optional field perimeter_id:

  • private_key: Private key of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA key pair. This parameter will be deprecated in a future release.

  • key_id: Key ID of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key created on the CipherTrust Manager.

  • wrapping_key_id and wrapped_custom_private_key, where:

    • wrapping_key_id: Key ID of the RSA key created on the CipherTrust Manager. Its public key is used for wrapping your custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key.

    • wrapped_custom_private_key: Wrapped custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key.

  • perimeter_id: ID of the perimeter to encrypt with the key.

Syntax

curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'{\n  "key_id": "<key id>",\n  "perimeter_id": "<perimeter id>"\n}' --compressed

curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'{\n  "wrapping_key_id": "<wrapping key id>",\n  "wrapped_custom_private_key": "<wrapped custom private key>",\n  "perimeter_id": "<perimeter id>"\n}' --compressed

curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'{\n  "private_key": "<private key>",\n  "perimeter_id": "<perimeter id>"\n}' --compressed

Request Parameters

ParameterTypeDescription
idstringID of the endpoint. To find out the ID of an endpoint, refer to Viewing KACLS Endpoints.
key_idstringKey ID of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key created on the CipherTrust Manager. Also, specify the key usage.
private_keystringPrivate key of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA key pair. This parameter will be deprecated in a future release.
wrapping_key_idstringKey ID of the RSA key created on the CipherTrust Manager. Its public key is used for wrapping your custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key.
wrapped_custom_private_keystringWrapped custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key.
perimeter_idstringID of the perimeter to encrypt with the key.

Note

Specify private_key or key_id, or a combination of wrapping_key_id and wrapped_custom_private_key, not together.

Steps

  1. Create an RSA-4096 key on the CipherTrust Manager.

  2. Set the key usage to Encrypt, Decrypt, Wrap Key, Unwrap Key, Sign, and Verify.

  3. Make the key exportable.

  4. Provide the ID of this key in the key_id parameter of the POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey API.

    Note

    To create a CSR on the CipherTrust Manager using this key, run the POST /v1/vault/csr API.

Use this method to wrap a custom private key (external to the CipherTrust Manager) with a wrapping key created on the CipherTrust Manager.

  1. Create an RSA-4096 key on the CipherTrust Manager. This key will be used as a wrapping key.

  2. Set the key usage to Encrypt, Decrypt, Wrap Key, and Unwrap Key.

  3. Make the key exportable.

  4. Provide the ID of this key in the wrapping_key_id parameter of the POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey API.

  5. Download the public key of the wrapping key (created in step 1).

  6. Wrap the custom private key with the downloaded public key.

    Note

    If you are using openSSL to wrap the key:

    1. Configure OpenSSL for manual key wrapping. Refer to Configuring OpenSSL for manual key wrapping for details.

    2. Wrap the key using OpenSSL.

  7. Provide the wrapped custom private key generated in the previous step in the wrapped_custom_private_key parameter of the POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey API.

  1. Create a custom private key (external to the CipherTrust Manager).

  2. Provide the custom private key (in plaintext) generated in the previous step in the private_key parameter of the POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey API.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7d03-4e2d-c1583936-a0ae-3a1ae2d2e200/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'
{
    key_id: "f1d2f7c956634abb8159f7184d71e30e0f8dd3556be64e188414291ef886b289",
    "perimeter_id": ""
}' --compressed

curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7d03-4e2d-c1583936-a0ae-3a1ae2d2e200/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'
{
    wrapping_key_id : "f1d2f7c956634abb8159f7184d71e30e0f8dd3556be64e188414291ef886b287",
    wrapped_custom_private_key : "eyJ3cmFwcGVkX2tleSI6IkNVT3ZWMFFjd1dGWWZhZXR6cStiY09RVC9TU2RiOTBC==",
    "perimeter_id": ""
}' --compressed

curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7d03-4e2d-c1583936-a0ae-3a1ae2d2e200/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'
{
    private_key : "eyJ3cmFwcGVkX2tleSI6IkNVT3ZWMFFjd1dGWWZhZXR6cStiY09RVC9TU2RiOTBC==",
    "perimeter_id": ""
}' --compressed

Example Response

{
"wrapped_private_key":
    "LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2P
    G8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hDU
    T89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxp
    CxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlR
    BDyZSFhatPQ==",
}

{
"wrapped_private_key":
    "G8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hD
    ULpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2P
    T89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxp
    CxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlR
    BDyZSFhatPQ==",
}

{
"wrapped_private_key":
    "G8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hD
    CxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlR
    LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2PU
    T89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxp
    BDyZSFhatPQ==",
}

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors

Refer to HTTP status codes for details.

On this page