1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-18 23:08:48 +00:00

gcloud: Wed Sep 17 11:04:06 UTC 2025

This commit is contained in:
Automated 2025-09-17 11:04:06 +00:00
parent 78d417f901
commit 79c9fb4d92
193 changed files with 12122 additions and 1486 deletions

View file

@ -0,0 +1,68 @@
NAME
gcloud beta kms decapsulate - decapsulate an input file using a
key-encapsulation key version
SYNOPSIS
gcloud beta kms decapsulate --ciphertext-file=CIPHERTEXT_FILE
--shared-secret-file=SHARED_SECRET_FILE [--key=KEY] [--keyring=KEYRING]
[--location=LOCATION] [--skip-integrity-verification]
[--version=VERSION] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) Decapsulates the given ciphertext file using the provided
key-encapsulation key version and saves the decapsulated shared secret to
the shared secret file.
By default, the command performs integrity verification on data sent to and
received from Cloud KMS. Use --skip-integrity-verification to disable
integrity verification.
EXAMPLES
The following command will read the file '/tmp/my/secret.file.enc',
decapsulate it using the key encapsulation CryptoKey my-key Version 3 and
write the shared secret to '/tmp/my/secret.file.dec'.
$ gcloud beta kms decapsulate --location=us-central1 \
--keyring=my-keyring --key=my-key --version=3 \
--ciphertext-file=/tmp/my/secret.file.enc \
--shared-secret-file=/tmp/my/secret.file.dec
REQUIRED FLAGS
--ciphertext-file=CIPHERTEXT_FILE
File path of the ciphertext file to decapsulate.
--shared-secret-file=SHARED_SECRET_FILE
File path of the shared secret file to output.
OPTIONAL FLAGS
--key=KEY
to use for decapsulation.
--keyring=KEYRING
Key ring of the key.
--location=LOCATION
Location of the keyring.
--skip-integrity-verification
Skip integrity verification on request and response API fields.
--version=VERSION
Version to use for decapsulation.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. These
variants are also available:
$ gcloud kms decapsulate
$ gcloud alpha kms decapsulate

View file

@ -65,6 +65,9 @@ COMMANDS
asymmetric-sign
(BETA) Sign a user input file using an asymmetric-signing key version.
decapsulate
(BETA) Decapsulate an input file using a key-encapsulation key version.
decrypt
(BETA) Decrypt a ciphertext file using a Cloud KMS key.

View file

@ -171,8 +171,8 @@ POSITIONAL ARGUMENTS
REQUIRED FLAGS
--purpose=PURPOSE
The "purpose" of the key. PURPOSE must be one of:
asymmetric-encryption, asymmetric-signing, encryption, mac,
raw-encryption.
asymmetric-encryption, asymmetric-signing, encryption,
key-encapsulation, mac, raw-encryption.
OPTIONAL FLAGS
--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,...]
@ -204,18 +204,18 @@ OPTIONAL FLAGS
aes-256-ctr, aes-256-gcm, ec-sign-ed25519, ec-sign-p256-sha256,
ec-sign-p384-sha384, ec-sign-secp256k1-sha256,
external-symmetric-encryption, google-symmetric-encryption, hmac-sha1,
hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512,
pq-sign-hash-slh-dsa-sha2-128s-sha256, pq-sign-ml-dsa-65,
pq-sign-slh-dsa-sha2-128s, rsa-decrypt-oaep-2048-sha1,
rsa-decrypt-oaep-2048-sha256, rsa-decrypt-oaep-3072-sha1,
rsa-decrypt-oaep-3072-sha256, rsa-decrypt-oaep-4096-sha1,
rsa-decrypt-oaep-4096-sha256, rsa-decrypt-oaep-4096-sha512,
rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256,
rsa-sign-pkcs1-4096-sha256, rsa-sign-pkcs1-4096-sha512,
rsa-sign-pss-2048-sha256, rsa-sign-pss-3072-sha256,
rsa-sign-pss-4096-sha256, rsa-sign-pss-4096-sha512,
rsa-sign-raw-pkcs1-2048, rsa-sign-raw-pkcs1-3072,
rsa-sign-raw-pkcs1-4096.
hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512, kem-xwing,
ml-kem-1024, ml-kem-768, pq-sign-hash-slh-dsa-sha2-128s-sha256,
pq-sign-ml-dsa-65, pq-sign-slh-dsa-sha2-128s,
rsa-decrypt-oaep-2048-sha1, rsa-decrypt-oaep-2048-sha256,
rsa-decrypt-oaep-3072-sha1, rsa-decrypt-oaep-3072-sha256,
rsa-decrypt-oaep-4096-sha1, rsa-decrypt-oaep-4096-sha256,
rsa-decrypt-oaep-4096-sha512, rsa-sign-pkcs1-2048-sha256,
rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256,
rsa-sign-pkcs1-4096-sha512, rsa-sign-pss-2048-sha256,
rsa-sign-pss-3072-sha256, rsa-sign-pss-4096-sha256,
rsa-sign-pss-4096-sha512, rsa-sign-raw-pkcs1-2048,
rsa-sign-raw-pkcs1-3072, rsa-sign-raw-pkcs1-4096.
--destroy-scheduled-duration=DESTROY_SCHEDULED_DURATION
The amount of time that versions of the key should spend in the

View file

@ -175,18 +175,18 @@ FLAGS
aes-256-ctr, aes-256-gcm, ec-sign-ed25519, ec-sign-p256-sha256,
ec-sign-p384-sha384, ec-sign-secp256k1-sha256,
external-symmetric-encryption, google-symmetric-encryption, hmac-sha1,
hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512,
pq-sign-hash-slh-dsa-sha2-128s-sha256, pq-sign-ml-dsa-65,
pq-sign-slh-dsa-sha2-128s, rsa-decrypt-oaep-2048-sha1,
rsa-decrypt-oaep-2048-sha256, rsa-decrypt-oaep-3072-sha1,
rsa-decrypt-oaep-3072-sha256, rsa-decrypt-oaep-4096-sha1,
rsa-decrypt-oaep-4096-sha256, rsa-decrypt-oaep-4096-sha512,
rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256,
rsa-sign-pkcs1-4096-sha256, rsa-sign-pkcs1-4096-sha512,
rsa-sign-pss-2048-sha256, rsa-sign-pss-3072-sha256,
rsa-sign-pss-4096-sha256, rsa-sign-pss-4096-sha512,
rsa-sign-raw-pkcs1-2048, rsa-sign-raw-pkcs1-3072,
rsa-sign-raw-pkcs1-4096.
hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512, kem-xwing,
ml-kem-1024, ml-kem-768, pq-sign-hash-slh-dsa-sha2-128s-sha256,
pq-sign-ml-dsa-65, pq-sign-slh-dsa-sha2-128s,
rsa-decrypt-oaep-2048-sha1, rsa-decrypt-oaep-2048-sha256,
rsa-decrypt-oaep-3072-sha1, rsa-decrypt-oaep-3072-sha256,
rsa-decrypt-oaep-4096-sha1, rsa-decrypt-oaep-4096-sha256,
rsa-decrypt-oaep-4096-sha512, rsa-sign-pkcs1-2048-sha256,
rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256,
rsa-sign-pkcs1-4096-sha512, rsa-sign-pss-2048-sha256,
rsa-sign-pss-3072-sha256, rsa-sign-pss-4096-sha256,
rsa-sign-pss-4096-sha512, rsa-sign-raw-pkcs1-2048,
rsa-sign-raw-pkcs1-3072, rsa-sign-raw-pkcs1-4096.
--next-rotation-time=NEXT_ROTATION_TIME
Next automatic rotation time of the key. See $ gcloud topic datetimes

View file

@ -15,11 +15,13 @@ DESCRIPTION
If not specified, the public key will be printed to stdout.
The optional flag public-key-format indicates the format in which the
public key will be returned. For the PQC algorithms, this must be specified
and set to nist-pqc. For all other algorithms, this flag is optional and
defaults to pem. See "Retrieve a public key" in the Cloud KMS documentation
(https://cloud.google.com/kms/docs/retrieve-public-key) for more
information about the supported formats.
public key will be returned. For the NIST PQC algorithms, this must be
specified and set to nist-pqc. For kem-xwing this must be specified and set
to xwing-raw-bytes. For all other algorithms, this flag is optional and can
be either pem or der; the default value is pem. See "Retrieve a public key"
in the Cloud KMS documentation
(https://cloud.google.com/kms/help/get-public-key) for more information
about the supported formats.
EXAMPLES
The following command saves the public key for CryptoKey frodo Version 2 to

View file

@ -34,18 +34,18 @@ REQUIRED FLAGS
aes-128-cbc, aes-128-ctr, aes-128-gcm, aes-256-cbc, aes-256-ctr,
aes-256-gcm, ec-sign-ed25519, ec-sign-p256-sha256, ec-sign-p384-sha384,
ec-sign-secp256k1-sha256, google-symmetric-encryption, hmac-sha1,
hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512,
pq-sign-hash-slh-dsa-sha2-128s-sha256, pq-sign-ml-dsa-65,
pq-sign-slh-dsa-sha2-128s, rsa-decrypt-oaep-2048-sha1,
rsa-decrypt-oaep-2048-sha256, rsa-decrypt-oaep-3072-sha1,
rsa-decrypt-oaep-3072-sha256, rsa-decrypt-oaep-4096-sha1,
rsa-decrypt-oaep-4096-sha256, rsa-decrypt-oaep-4096-sha512,
rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256,
rsa-sign-pkcs1-4096-sha256, rsa-sign-pkcs1-4096-sha512,
rsa-sign-pss-2048-sha256, rsa-sign-pss-3072-sha256,
rsa-sign-pss-4096-sha256, rsa-sign-pss-4096-sha512,
rsa-sign-raw-pkcs1-2048, rsa-sign-raw-pkcs1-3072,
rsa-sign-raw-pkcs1-4096.
hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512, kem-xwing,
ml-kem-1024, ml-kem-768, pq-sign-hash-slh-dsa-sha2-128s-sha256,
pq-sign-ml-dsa-65, pq-sign-slh-dsa-sha2-128s,
rsa-decrypt-oaep-2048-sha1, rsa-decrypt-oaep-2048-sha256,
rsa-decrypt-oaep-3072-sha1, rsa-decrypt-oaep-3072-sha256,
rsa-decrypt-oaep-4096-sha1, rsa-decrypt-oaep-4096-sha256,
rsa-decrypt-oaep-4096-sha512, rsa-sign-pkcs1-2048-sha256,
rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256,
rsa-sign-pkcs1-4096-sha512, rsa-sign-pss-2048-sha256,
rsa-sign-pss-3072-sha256, rsa-sign-pss-4096-sha256,
rsa-sign-pss-4096-sha512, rsa-sign-raw-pkcs1-2048,
rsa-sign-raw-pkcs1-3072, rsa-sign-raw-pkcs1-4096.
--import-job=IMPORT_JOB
Name of the import job to import from.