wrap, unwrap, privilegedwrap and digest actions

  • wrap: a wrap request has been made. This is the case whenever a key is encrypted.

  • unwrap: an unwrap request has been made. This is the case whenever a key is decrypted.

  • privilegedwrap: a privilegedwrap request has been made. This is the case whenever a bulk file import is in progress.

  • digest: a digest request has been made. This is the case whenever a migration or encryption operation to a backup KACLS is in progress.

All these actions generate an "info" severity log in the event of success, or a "crit" severity log in the event of an error.

The log fields for these actions are as follows:

Field

Description

Type

Mandatory/Optional

tenant_id

Tenant identifier.

Example: 025f02fe-bee2-444b-bf76-b5ead30327c0

String in uuid v4 format Mandatory

reason

Additional context about the operation. Example: Reason of the request String Mandatory

email

User's email address.

Example: alice.dupont@gmail.com

String Mandatory
google_email User's Google account email address. This field is always absent in the case of a digest action. Example: alice.google@gmail.com String
Optional
google_application

Google Workspace application concerned by the operation.

Prescribed values:

  • meet,

  • drive,

  • calendar

String Mandatory
resource_name

Resource identifier.

Example: //googleapis.com/drive/files/1OJsaKJM5JES1yi79QCKx-13wOR1i8JPU"

String Mandatory
perimeter_id Identifier for additional verification of authentication and authorization requests. Example: Perimeter_id of the request String Mandatory
kek_id

Identifier of the KEK used.

Example: ed7e4c13-6199-30a3-7bce-1c82a9e31e21

String Mandatory

Example of logs for the successful wrap action:

{
"tenant_id":"025f02fe-bee2-444b-bf76-b5ead30327c0",
"reason":"reason of the request",
"email":"alice@gmail.com",
"google_email": "alice.google@gmail.com",
"application": "meet",
"resource_name": resource name for this request,
"perimeter_id": "perimeter id for the request",
"kek_id": "ed7e4c13-6199-30a3-7bce-encrypted_kek_b64"
}

Example of logs for the successful privilegedwrap action:

{
"tenant_id":"025f02fe-bee2-444b-bf76-b5ead30327c0",
"reason":"reason of the request",
"email":"alice@gmail.com",
"google_email": "alice.google@gmail.com",
"google_application": "meet|drive...",
"resource_name": "resource name for this request",
"perimeter_id": "perimeter id for the request",
"kek_id": "ed7e4c13-6199-30a3-7bce-1c82a9e31e21"
}

Example of logs for the successful digest action:

{
"tenant_id":"025f02fe-bee2-444b-bf76-b5ead30327c0",
"reason":"reason of the request",
"email":"alice@gmail.com",
"google_application": "meet|drive...",
"resource_name": "resource name for this request",
"perimeter_id": "perimeter id for the request",
"kek_id": "ed7e4c13-6199-30a3-7bce-1c82a9e31e21"
}