Encrypting Private Keys (wrapprivatekey)
The POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey
API is called to encrypt the end user's private key. This API returns an opaque binary object (wrapped private key) that is uploaded by the user to Google using the Gmail API client libraries.
This is a privileged operation, and can only be performed by authorized CCKM admins. When wrapping a private key, specify any of the following combinations with the optional field perimeter_id
:
private_key
: Private key of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA key pair. This parameter will be deprecated in a future release.key_id
: Key ID of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key created on the CipherTrust Manager.wrapping_key_id
andwrapped_custom_private_key
, where:wrapping_key_id
: Key ID of the RSA key created on the CipherTrust Manager. Its public key is used for wrapping your custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key.wrapped_custom_private_key
: Wrapped custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key.
perimeter_id
: ID of the perimeter to encrypt with the key.
Syntax
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'{\n "key_id": "<key id>",\n "perimeter_id": "<perimeter id>"\n}' --compressed
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'{\n "wrapping_key_id": "<wrapping key id>",\n "wrapped_custom_private_key": "<wrapped custom private key>",\n "perimeter_id": "<perimeter id>"\n}' --compressed
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'{\n "private_key": "<private key>",\n "perimeter_id": "<perimeter id>"\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the endpoint. To find out the ID of an endpoint, refer to Viewing KACLS Endpoints. |
key_id | string | Key ID of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key created on the CipherTrust Manager. Also, specify the key usage. |
private_key | string | Private key of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA key pair. This parameter will be deprecated in a future release. |
wrapping_key_id | string | Key ID of the RSA key created on the CipherTrust Manager. Its public key is used for wrapping your custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key. |
wrapped_custom_private_key | string | Wrapped custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key. |
perimeter_id | string | ID of the perimeter to encrypt with the key. |
Note
Specify private_key
or key_id
, or a combination of wrapping_key_id
and wrapped_custom_private_key
, not together.
Steps
Create an RSA-4096 key on the CipherTrust Manager.
Set the key usage to Encrypt, Decrypt, Wrap Key, Unwrap Key, Sign, and Verify.
Make the key exportable.
Provide the ID of this key in the
key_id
parameter of thePOST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey
API.Note
To create a CSR on the CipherTrust Manager using this key, run the
POST /v1/vault/csr
API.
Use this method to wrap a custom private key (external to the CipherTrust Manager) with a wrapping key created on the CipherTrust Manager.
Create an RSA-4096 key on the CipherTrust Manager. This key will be used as a wrapping key.
Set the key usage to Encrypt, Decrypt, Wrap Key, and Unwrap Key.
Make the key exportable.
Provide the ID of this key in the
wrapping_key_id
parameter of thePOST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey
API.Download the public key of the wrapping key (created in step 1).
Wrap the custom private key with the downloaded public key.
Note
If you are using openSSL to wrap the key:
Configure OpenSSL for manual key wrapping. Refer to Configuring OpenSSL for manual key wrapping for details.
Wrap the key using OpenSSL.
Provide the wrapped custom private key generated in the previous step in the
wrapped_custom_private_key
parameter of thePOST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey
API.
Create a custom private key (external to the CipherTrust Manager).
Provide the custom private key (in plaintext) generated in the previous step in the
private_key
parameter of thePOST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey
API.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7d03-4e2d-c1583936-a0ae-3a1ae2d2e200/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'
{
key_id: "f1d2f7c956634abb8159f7184d71e30e0f8dd3556be64e188414291ef886b289",
"perimeter_id": ""
}' --compressed
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7d03-4e2d-c1583936-a0ae-3a1ae2d2e200/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'
{
wrapping_key_id : "f1d2f7c956634abb8159f7184d71e30e0f8dd3556be64e188414291ef886b287",
wrapped_custom_private_key : "eyJ3cmFwcGVkX2tleSI6IkNVT3ZWMFFjd1dGWWZhZXR6cStiY09RVC9TU2RiOTBC==",
"perimeter_id": ""
}' --compressed
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7d03-4e2d-c1583936-a0ae-3a1ae2d2e200/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'
{
private_key : "eyJ3cmFwcGVkX2tleSI6IkNVT3ZWMFFjd1dGWWZhZXR6cStiY09RVC9TU2RiOTBC==",
"perimeter_id": ""
}' --compressed
Example Response
{
"wrapped_private_key":
"LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2P
G8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hDU
T89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxp
CxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlR
BDyZSFhatPQ==",
}
{
"wrapped_private_key":
"G8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hD
ULpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2P
T89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxp
CxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlR
BDyZSFhatPQ==",
}
{
"wrapped_private_key":
"G8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hD
CxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlR
LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2PU
T89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxp
BDyZSFhatPQ==",
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
Refer to HTTP status codes for details.