NAME gcloud kms decapsulate - decapsulate an input file using a key-encapsulation key version SYNOPSIS gcloud kms decapsulate --ciphertext-file=CIPHERTEXT_FILE --shared-secret-file=SHARED_SECRET_FILE [--key=KEY] [--keyring=KEYRING] [--location=LOCATION] [--skip-integrity-verification] [--version=VERSION] [GCLOUD_WIDE_FLAG ...] DESCRIPTION Decapsulates the given ciphertext file using the provided key-encapsulation key version and saves the decapsulated shared secret to the shared secret file. By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use --skip-integrity-verification to disable integrity verification. EXAMPLES The following command will read the file '/tmp/my/secret.file.enc', decapsulate it using the key encapsulation CryptoKey my-key Version 3 and write the shared secret to '/tmp/my/secret.file.dec'. $ gcloud kms decapsulate --location=us-central1 \ --keyring=my-keyring --key=my-key --version=3 \ --ciphertext-file=/tmp/my/secret.file.enc \ --shared-secret-file=/tmp/my/secret.file.dec REQUIRED FLAGS --ciphertext-file=CIPHERTEXT_FILE File path of the ciphertext file to decapsulate. --shared-secret-file=SHARED_SECRET_FILE File path of the shared secret file to output. OPTIONAL FLAGS --key=KEY to use for decapsulation. --keyring=KEYRING Key ring of the key. --location=LOCATION Location of the keyring. --skip-integrity-verification Skip integrity verification on request and response API fields. --version=VERSION Version to use for decapsulation. GCLOUD WIDE FLAGS These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity. Run $ gcloud help for details. NOTES These variants are also available: $ gcloud alpha kms decapsulate $ gcloud beta kms decapsulate