Riferimento per l'API della crittografia lato client di Google Workspace
Mantieni tutto organizzato con le raccolte
Salva e classifica i contenuti in base alle tue preferenze.
L'API Crittografia lato client (CSE) di Google Workspace ti consente di possedere le
chiavi di crittografia utilizzate per criptare ulteriormente i dati di Google Workspace.
Metodi
| Metodi |
delegate |
POST https://KACLS_URL/delegate
Consente a un primo utente di delegare una richiesta a un secondo utente. |
digest |
POST https://KACLS_URL/digest
Restituisce il checksum di una DEK di cui è stato annullato il wrapping. |
privatekeydecrypt |
POST https://KACLS_URL/privatekeydecrypt
Estrae una chiave privata con wrapping e poi decripta la chiave di crittografia dei contenuti crittografata con la chiave pubblica. |
privatekeysign |
POST https://KACLS_URL/privatekeysign
Decripta una chiave privata criptata e firma il digest fornito dal client.
|
privilegedprivatekeydecrypt |
POST https://KACLS_URL/privilegedprivatekeydecrypt
Decripta senza controllare l'elenco di controllo dell'accesso della chiave privata sottoposta a wrapping. |
privilegedunwrap |
POST https://KACLS_URL/privilegedunwrap
Decripta i dati esportati da Google in un contesto privilegiato. |
privilegedwrap |
POST https://KACLS_URL/privilegedwrap
Restituisce una chiave di crittografia dei dati (DEK) criptata e i dati associati. |
rewrap |
POST https://KACLS_URL/rewrap
Ricrittografa una DEK criptata. |
status |
GET https://KACLS_URL/status
Controlla lo stato di un servizio di elenco di controllo dell'accesso per le chiavi (KACLS). |
unwrap |
POST https://KACLS_URL/unwrap
Restituisce la DEK decriptata. |
wrap |
POST https://KACLS_URL/wrap
Restituisce la DEK criptata e i dati associati. |
wrapprivatekey |
POST https://KACLS_URL/wrapprivatekey
Esegue il wrapping della chiave privata di un utente. |
Token
| Token |
Authorization |
JWT emesso da Google per verificare che il chiamante sia autorizzato a criptare o decriptare una risorsa.
|
Authentication |
JWT emesso dal provider di identità che attesta l'identità dell'utente.
|
Altro
Salvo quando diversamente specificato, i contenuti di questa pagina sono concessi in base alla licenza Creative Commons Attribution 4.0, mentre gli esempi di codice sono concessi in base alla licenza Apache 2.0. Per ulteriori dettagli, consulta le norme del sito di Google Developers. Java è un marchio registrato di Oracle e/o delle sue consociate.
Ultimo aggiornamento 2025-07-26 UTC.
[null,null,["Ultimo aggiornamento 2025-07-26 UTC."],[[["\u003cp\u003eThe Google Workspace Client-side Encryption (CSE) API empowers you to manage your own encryption keys for enhanced security of Google Workspace data.\u003c/p\u003e\n"],["\u003cp\u003eThis API provides a comprehensive suite of methods for key management, including wrapping, unwrapping, encryption, decryption, and signing, offering granular control over your data protection.\u003c/p\u003e\n"],["\u003cp\u003eYou can leverage methods such as \u003ccode\u003ewrap\u003c/code\u003e and \u003ccode\u003eunwrap\u003c/code\u003e to encrypt and decrypt data encryption keys (DEKs), while \u003ccode\u003eprivatekeydecrypt\u003c/code\u003e allows for decryption using your private keys.\u003c/p\u003e\n"],["\u003cp\u003eAuthentication and authorization are handled through JWTs, ensuring secure access control to your encrypted data.\u003c/p\u003e\n"],["\u003cp\u003eExplore detailed documentation on methods, tokens, and error handling to effectively integrate the CSE API into your workflows.\u003c/p\u003e\n"]]],["The Google Workspace CSE API enables key ownership for encrypting Workspace data. Key actions include: `digest` to return checksums, `privatekeydecrypt` to decrypt keys, `privatekeysign` to sign digests, `unwrap`/`wrap` to decrypt/encrypt DEKs, `rewrap` to re-encrypt DEKs, `privileged` methods for special decryption/wrapping, `wrapprivatekey` to wrap a user's private key and `status` to check the Key Access Control List Service. It uses `Authorization` and `Authentication` JWT tokens and details structured error handling.\n"],null,["# Google Workspace CSE API Reference\n\nThe Google Workspace Client-side Encryption (CSE) API lets you own the\nencryption keys used to further encrypt Google Workspace data.\n\nMethods\n-------\n\n| Methods ||\n|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| [delegate](/workspace/cse/reference/delegate) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/delegate` Allows a first user to delegate a request to a second user. |\n| [digest](/workspace/cse/reference/digest) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/digest` Returns the checksum of an unwrapped DEK. |\n| [privatekeydecrypt](/workspace/cse/reference/private-key-decrypt) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privatekeydecrypt` Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key. |\n| [privatekeysign](/workspace/cse/reference/private-key-sign) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privatekeysign` Unwraps a wrapped private key and then signs the digest provided by the client. |\n| [privilegedprivatekeydecrypt](/workspace/cse/reference/privileged-private-key-decrypt) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privilegedprivatekeydecrypt` Decrypts without checking the wrapped private key ACL. |\n| [privilegedunwrap](/workspace/cse/reference/privileged-unwrap) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privilegedunwrap` Decrypts data exported from Google in a privileged context. |\n| [privilegedwrap](/workspace/cse/reference/privileged-wrap) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privilegedwrap` Returns a wrapped Data Encryption Key (DEK) and associated data. |\n| [rewrap](/workspace/cse/reference/rewrap) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/rewrap` Re-encrypts an encrypted DEK. |\n| [status](/workspace/cse/reference/status) | `GET https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/status` Checks the status of a Key Access Control List Service (KACLS). |\n| [unwrap](/workspace/cse/reference/unwrap) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/unwrap` Returns decrypted DEK. |\n| [wrap](/workspace/cse/reference/wrap) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/wrap` Returns encrypted DEK and associated data. |\n| [wrapprivatekey](/workspace/cse/reference/wrap-private-key) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/wrapprivatekey` Wraps a user's private key. |\n\nTokens\n------\n\n| Tokens ||\n|------------------------------------------------------------------|------------------------------------------------------------------------------------------------|\n| [Authorization](/workspace/cse/reference/authorization-tokens) | JWT issued by Google to verify that the caller is authorized to encrypt or decrypt a resource. |\n| [Authentication](/workspace/cse/reference/authentication-tokens) | JWT issued by the identity provider that attests user identity. |\n\nOther\n-----\n\n- \\[Resource key hash\\]\n- [Structured error replies](/workspace/cse/reference/structured-errors)"]]
