Skip to main content
The DEK (Data Encryption Key) endpoints handle encryption key wrapping. The client’s VPS sends a plain DEK, and the Metadata Service encrypts it with the master key (wrap) or decrypts an existing wrapped DEK back to plaintext (unwrap).
These endpoints are called by the client VPS (VPS 20) during file upload and download flows. The plain DEK never leaves the internal network unencrypted.

Wrap DEK

POST /api/v1/dek/wrap
Encrypts a plain DEK using the master key. The client VPS sends the plain DEK, and the service returns it wrapped.

Request body

dek
string
required
The plain 32-bit Data Encryption Key to wrap.
{
  "dek": "pl41n_d3k_k3y_32b1ts_0000000000"
}

Response 200

{
  "dekEnc": "enc_k3y_wr4pp3d_by_m4st3r_k3y_00"
}

Response 400

Returned when the provided DEK is invalid or malformed. 
{
  "error": "invalid_dek"
}

Unwrap DEK

POST /api/v1/dek/unwrap
Decrypts a wrapped DEK back to its plaintext form using the master key.

Request body

dekEnc
string
required
The 32-bit encrypted DEK (wrapped by the master key) to unwrap.
{
  "dekEnc": "enc_k3y_wr4pp3d_by_m4st3r_k3y_00"
}

Response 200

{
  "dek": "pl41n_d3k_k3y_32b1ts_0000000000"
}

Response 400

Returned when the provided encrypted DEK is invalid or cannot be decrypted. 
{
  "error": "invalid_enc_dek"
}