1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 02:25:19 +00:00
gcloud-help/gcloud/kms/decrypt
2022-03-01 04:29:52 +00:00

106 lines
4.3 KiB
Text

NAME
gcloud kms decrypt - decrypt a ciphertext file using a Cloud KMS key
SYNOPSIS
gcloud kms decrypt --ciphertext-file=CIPHERTEXT_FILE
--plaintext-file=PLAINTEXT_FILE
[--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE]
[--key=KEY] [--keyring=KEYRING] [--location=LOCATION]
[--skip-integrity-verification] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
gcloud kms decrypt decrypts the given ciphertext file using the given Cloud
KMS key and writes the result to the named plaintext file. Note that to
permit users to decrypt using a key, they must be have at least one of the
following IAM roles for that key: roles/cloudkms.cryptoKeyDecrypter,
roles/cloudkms.cryptoKeyEncrypterDecrypter.
Additional authenticated data (AAD) is used as an additional check by Cloud
KMS to authenticate a decryption request. If an additional authenticated
data file is provided, its contents must match the additional authenticated
data provided during encryption and must not be larger than 64KiB. If you
don't provide a value for --additional-authenticated-data-file, an empty
string is used. For a thorough explanation of AAD, refer to this guide:
https://cloud.google.com/kms/docs/additional-authenticated-data
If --ciphertext-file or --additional-authenticated-data-file is set to '-',
that file is read from stdin. Note that both files cannot be read from
stdin. Similarly, if --plaintext-file is set to '-', the decrypted
plaintext is written to stdout.
By default, the command performs integrity verification on data sent to and
received from Cloud KMS. Use --skip-integrity-verification to disable
integrity verification.
EXAMPLES
To decrypt the file 'path/to/ciphertext' using the key frodo with key ring
fellowship and location global and write the plaintext to
'path/to/plaintext.dec', run:
$ gcloud kms decrypt \
--key=frodo \
--keyring=fellowship \
--location=global \
--ciphertext-file=path/to/input/ciphertext \
--plaintext-file=path/to/output/plaintext.dec
To decrypt the file 'path/to/ciphertext' using the key frodo and the
additional authenticated data that was used to encrypt the ciphertext, and
write the decrypted plaintext to stdout, run:
$ gcloud kms decrypt \
--key=frodo \
--keyring=fellowship \
--location=global \
--additional-authenticated-data-file=path/to/aad \
--ciphertext-file=path/to/input/ciphertext \
--plaintext-file='-'
REQUIRED FLAGS
--ciphertext-file=CIPHERTEXT_FILE
File path of the ciphertext file to decrypt. This file should contain
the result of encrypting a file with gcloud kms encrypt.
--plaintext-file=PLAINTEXT_FILE
File path of the plaintext file to output.
OPTIONAL FLAGS
--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE
File path to the optional file containing the additional authenticated
data.
--key=KEY
Cloud KMS key to use for decryption.
◆ For symmetric keys, Cloud KMS detects the decryption key version
from the ciphertext. If you specify a key version as part of a
symmetric decryption request, an error is logged and decryption
fails.
◆ For asymmetric keys, the encryption key version can't be detected
automatically. You must keep track of this information and provide
the key version in the decryption request. The key version itself is
not sensitive data and does not need to be encrypted.
--keyring=KEYRING
Key ring of the key.
--location=LOCATION
Location of the keyring.
--skip-integrity-verification
Skip integrity verification on request and response API fields.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
These variants are also available:
$ gcloud alpha kms decrypt
$ gcloud beta kms decrypt