NAME
    gcloud kms raw-decrypt - decrypt a ciphertext file using a raw key

SYNOPSIS
    gcloud kms raw-decrypt --ciphertext-file=CIPHERTEXT_FILE
        --plaintext-file=PLAINTEXT_FILE --version=VERSION
        [--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE]
        [--initialization-vector-file=INITIALIZATION_VECTOR_FILE] [--key=KEY]
        [--keyring=KEYRING] [--location=LOCATION]
        [--skip-integrity-verification] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    gcloud kms raw-decrypt decrypts the given ciphertext file using the given
    CryptoKey containing a raw key and writes the result to the named plaintext
    file. The ciphertext file must not be larger than 64KiB.

    The supported algorithms are: AES-128-GCM, AES-256-GCM, AES-128-CBC,
    AES-256-CBC, AES-128-CTR, and AES-256-CTR.

    AES-GCM provides authentication which means that it accepts additional
    authenticated data (AAD). So, the flag --additional-authenticated-data-file
    is only valid with AES-128-GCM and AES-256-GCM algorithms. If AAD is
    provided during encryption, it must be provided during decryption too. The
    file must not be larger than 64KiB.

    If --plaintext-file or --additional-authenticated-data-file or
    --initialization-vector-file is set to '-', that file is read from stdin.
    Similarly, if --ciphertext-file is set to '-', the ciphertext is written to
    stdout.

    By default, the command performs integrity verification on data sent to and
    received from Cloud KMS. Use --skip-integrity-verification to disable
    integrity verification.

EXAMPLES
    The following command reads and decrypts the file path/to/input/ciphertext.
    The file will be decrypted using the CryptoKey KEYNAME containing a raw
    key, from the KeyRing KEYRING in the global location. It uses the
    additional authenticated data file path/to/input/aad (only valid with the
    AES-GCM algorithms) and the initialization vector file path/to/input/iv.
    The resulting plaintext will be written to path/to/output/plaintext.

        $ gcloud kms raw-decrypt --key=KEYNAME --keyring=KEYRING \
            --location=global --ciphertext-file=path/to/input/ciphertext \
            --additional-authenticated-data-file=path/to/input/aad \
            --initialization-vector-file=path/to/input/iv \
            --plaintext-file=path/to/output/plaintext

REQUIRED FLAGS
     --ciphertext-file=CIPHERTEXT_FILE
        File path of the ciphertext file to decrypt.

     --plaintext-file=PLAINTEXT_FILE
        File path of the plaintext file to store the decrypted data.

     --version=VERSION
        Version to use for decryption.

OPTIONAL FLAGS
     --additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE
        File path to the optional file containing the additional authenticated
        data.

     --initialization-vector-file=INITIALIZATION_VECTOR_FILE
        File path to the optional file containing the initialization vector for
        decryption.

     --key=KEY
        The (raw) key to use for decryption.

     --keyring=KEYRING
        Key ring of the key.

     --location=LOCATION
        Location of the keyring.

     --skip-integrity-verification
        Skip integrity verification on request and response API fields.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    These variants are also available:

        $ gcloud alpha kms raw-decrypt

        $ gcloud beta kms raw-decrypt

