Encrypting Private Keys (wrapprivatekey)
The POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey API is called to encrypt the end user's private key. This API returns an opaque binary object (wrapped private key) that is uploaded by the user to Google using the Gmail API client libraries.
This is a privileged operation, and can only be performed by authorized CCKM admins. When wrapping a private key, specify any of the following combinations with the optional field perimeter_id:
- private_key: Private key of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA key pair. This parameter will be deprecated in a future release.
- key_id: Key ID of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key created on the CipherTrust Manager.
- wrapping_key_idand- wrapped_custom_private_key, where:- wrapping_key_id: Key ID of the RSA key created on the CipherTrust Manager. Its public key is used for wrapping your custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key.
- wrapped_custom_private_key: Wrapped custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key.
 
- perimeter_id: ID of the perimeter to encrypt with the key.
Syntax
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'{\n  "key_id": "<key id>",\n  "perimeter_id": "<perimeter id>"\n}' --compressed
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'{\n  "wrapping_key_id": "<wrapping key id>",\n  "wrapped_custom_private_key": "<wrapped custom private key>",\n  "perimeter_id": "<perimeter id>"\n}' --compressed
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'{\n  "private_key": "<private key>",\n  "perimeter_id": "<perimeter id>"\n}' --compressed
Request Parameters
| Parameter | Type | Description | 
|---|---|---|
| id | string | ID of the endpoint. To find out the ID of an endpoint, refer to Viewing KACLS Endpoints. | 
| key_id | string | Key ID of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key created on the CipherTrust Manager. Also, specify the key usage. | 
| private_key | string | Private key of the PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA key pair. This parameter will be deprecated in a future release. | 
| wrapping_key_id | string | Key ID of the RSA key created on the CipherTrust Manager. Its public key is used for wrapping your custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key. | 
| wrapped_custom_private_key | string | Wrapped custom PEM encoded PKCS#1 or PKCS#8 (unencrypted) RSA private key. | 
| perimeter_id | string | ID of the perimeter to encrypt with the key. | 
Note
Specify private_key or key_id, or a combination of wrapping_key_id and wrapped_custom_private_key, not together.
Steps
- Create an RSA-4096 key on the CipherTrust Manager. 
- Set the key usage to Encrypt, Decrypt, Wrap Key, Unwrap Key, Sign, and Verify. 
- Make the key exportable. 
- Provide the ID of this key in the - key_idparameter of the- POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekeyAPI.- Note - To create a CSR on the CipherTrust Manager using this key, run the - POST /v1/vault/csrAPI.
Use this method to wrap a custom private key (external to the CipherTrust Manager) with a wrapping key created on the CipherTrust Manager.
- Create an RSA-4096 key on the CipherTrust Manager. This key will be used as a wrapping key. 
- Set the key usage to Encrypt, Decrypt, Wrap Key, and Unwrap Key. 
- Make the key exportable. 
- Provide the ID of this key in the - wrapping_key_idparameter of the- POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekeyAPI.
- Download the public key of the wrapping key (created in step 1). 
- Wrap the custom private key with the downloaded public key. - Note - If you are using openSSL to wrap the key: - Configure OpenSSL for manual key wrapping. Refer to Configuring OpenSSL for manual key wrapping for details. 
- Wrap the key using OpenSSL. 
 
- Provide the wrapped custom private key generated in the previous step in the - wrapped_custom_private_keyparameter of the- POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekeyAPI.
- Create a custom private key (external to the CipherTrust Manager). 
- Provide the custom private key (in plaintext) generated in the previous step in the - private_keyparameter of the- POST /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/wrapprivatekeyAPI.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7d03-4e2d-c1583936-a0ae-3a1ae2d2e200/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'
{
    key_id: "f1d2f7c956634abb8159f7184d71e30e0f8dd3556be64e188414291ef886b289",
    "perimeter_id": ""
}' --compressed
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7d03-4e2d-c1583936-a0ae-3a1ae2d2e200/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'
{
    wrapping_key_id : "f1d2f7c956634abb8159f7184d71e30e0f8dd3556be64e188414291ef886b287",
    wrapped_custom_private_key : "eyJ3cmFwcGVkX2tleSI6IkNVT3ZWMFFjd1dGWWZhZXR6cStiY09RVC9TU2RiOTBC==",
    "perimeter_id": ""
}' --compressed
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7d03-4e2d-c1583936-a0ae-3a1ae2d2e200/wrapprivatekey' -H 'Content-Type: application/json' --data-binary $'
{
    private_key : "eyJ3cmFwcGVkX2tleSI6IkNVT3ZWMFFjd1dGWWZhZXR6cStiY09RVC9TU2RiOTBC==",
    "perimeter_id": ""
}' --compressed
Example Response
{
"wrapped_private_key":
    "LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2P
    G8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hDU
    T89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxp
    CxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlR
    BDyZSFhatPQ==",
}
{
"wrapped_private_key":
    "G8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hD
    ULpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2P
    T89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxp
    CxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlR
    BDyZSFhatPQ==",
}
{
"wrapped_private_key":
    "G8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hD
    CxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlR
    LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2PU
    T89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxp
    BDyZSFhatPQ==",
}
Response Codes
| Response Code | Description | 
|---|---|
| 2xx | Success | 
| 4xx | Client errors | 
Refer to HTTP status codes for details.