NAME gcloud kms raw-decrypt - decrypt a ciphertext file using a raw key SYNOPSIS gcloud kms raw-decrypt --ciphertext-file=CIPHERTEXT_FILE --plaintext-file=PLAINTEXT_FILE --version=VERSION [--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE] [--initialization-vector-file=INITIALIZATION_VECTOR_FILE] [--key=KEY] [--keyring=KEYRING] [--location=LOCATION] [--skip-integrity-verification] [GCLOUD_WIDE_FLAG ...] DESCRIPTION gcloud kms raw-decrypt decrypts the given ciphertext file using the given CryptoKey containing a raw key and writes the result to the named plaintext file. The ciphertext file must not be larger than 64KiB. The supported algorithms are: AES-128-GCM, AES-256-GCM, AES-128-CBC, AES-256-CBC, AES-128-CTR, and AES-256-CTR. AES-GCM provides authentication which means that it accepts additional authenticated data (AAD). So, the flag --additional-authenticated-data-file is only valid with AES-128-GCM and AES-256-GCM algorithms. If AAD is provided during encryption, it must be provided during decryption too. The file must not be larger than 64KiB. If --plaintext-file or --additional-authenticated-data-file or --initialization-vector-file is set to '-', that file is read from stdin. Similarly, if --ciphertext-file is set to '-', the ciphertext is written to stdout. By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use --skip-integrity-verification to disable integrity verification. EXAMPLES The following command reads and decrypts the file path/to/input/ciphertext. The file will be decrypted using the CryptoKey KEYNAME containing a raw key, from the KeyRing KEYRING in the global location. It uses the additional authenticated data file path/to/input/aad (only valid with the AES-GCM algorithms) and the initialization vector file path/to/input/iv. The resulting plaintext will be written to path/to/output/plaintext. $ gcloud kms raw-decrypt --key=KEYNAME --keyring=KEYRING \ --location=global --ciphertext-file=path/to/input/ciphertext \ --additional-authenticated-data-file=path/to/input/aad \ --initialization-vector-file=path/to/input/iv \ --plaintext-file=path/to/output/plaintext REQUIRED FLAGS --ciphertext-file=CIPHERTEXT_FILE File path of the ciphertext file to decrypt. --plaintext-file=PLAINTEXT_FILE File path of the plaintext file to store the decrypted data. --version=VERSION Version to use for decryption. OPTIONAL FLAGS --additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE File path to the optional file containing the additional authenticated data. --initialization-vector-file=INITIALIZATION_VECTOR_FILE File path to the optional file containing the initialization vector for decryption. --key=KEY The (raw) key to use for decryption. --keyring=KEYRING Key ring of the key. --location=LOCATION Location of the keyring. --skip-integrity-verification Skip integrity verification on request and response API fields. GCLOUD WIDE FLAGS These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity. Run $ gcloud help for details. NOTES These variants are also available: $ gcloud alpha kms raw-decrypt $ gcloud beta kms raw-decrypt