mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-08 18:45:13 +00:00
101 lines
4.3 KiB
Text
101 lines
4.3 KiB
Text
NAME
|
|
gcloud beta kms decrypt - decrypt a ciphertext file using a Cloud KMS key
|
|
|
|
SYNOPSIS
|
|
gcloud beta kms decrypt --ciphertext-file=CIPHERTEXT_FILE
|
|
--plaintext-file=PLAINTEXT_FILE
|
|
[--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE]
|
|
[--key=KEY] [--keyring=KEYRING] [--location=LOCATION]
|
|
[--skip-integrity-verification] [GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
(BETA) gcloud beta kms decrypt decrypts the given ciphertext file using the
|
|
given Cloud KMS key and writes the result to the named plaintext file. Note
|
|
that to permit users to decrypt using a key, they must be have at least one
|
|
of the following IAM roles for that key: roles/cloudkms.cryptoKeyDecrypter,
|
|
roles/cloudkms.cryptoKeyEncrypterDecrypter.
|
|
|
|
Additional authenticated data (AAD) is used as an additional check by Cloud
|
|
KMS to authenticate a decryption request. If an additional authenticated
|
|
data file is provided, its contents must match the additional authenticated
|
|
data provided during encryption and must not be larger than 64KiB. If you
|
|
don't provide a value for --additional-authenticated-data-file, an empty
|
|
string is used. For a thorough explanation of AAD, refer to this guide:
|
|
https://cloud.google.com/kms/docs/additional-authenticated-data
|
|
|
|
If --ciphertext-file or --additional-authenticated-data-file is set to '-',
|
|
that file is read from stdin. Note that both files cannot be read from
|
|
stdin. Similarly, if --plaintext-file is set to '-', the decrypted
|
|
plaintext is written to stdout.
|
|
|
|
By default, the command performs integrity verification on data sent to and
|
|
received from Cloud KMS. Use --skip-integrity-verification to disable
|
|
integrity verification.
|
|
|
|
EXAMPLES
|
|
To decrypt the file 'path/to/ciphertext' using the key frodo with key ring
|
|
fellowship and location global and write the plaintext to
|
|
'path/to/plaintext.dec', run:
|
|
|
|
$ gcloud beta kms decrypt --key=frodo --keyring=fellowship \
|
|
--location=global --ciphertext-file=path/to/input/ciphertext \
|
|
--plaintext-file=path/to/output/plaintext.dec
|
|
|
|
To decrypt the file 'path/to/ciphertext' using the key frodo and the
|
|
additional authenticated data that was used to encrypt the ciphertext, and
|
|
write the decrypted plaintext to stdout, run:
|
|
|
|
$ gcloud beta kms decrypt --key=frodo --keyring=fellowship \
|
|
--location=global \
|
|
--additional-authenticated-data-file=path/to/aad \
|
|
--ciphertext-file=path/to/input/ciphertext --plaintext-file='-'
|
|
|
|
REQUIRED FLAGS
|
|
--ciphertext-file=CIPHERTEXT_FILE
|
|
File path of the ciphertext file to decrypt. This file should contain
|
|
the result of encrypting a file with gcloud kms encrypt.
|
|
|
|
--plaintext-file=PLAINTEXT_FILE
|
|
File path of the plaintext file to output.
|
|
|
|
OPTIONAL FLAGS
|
|
--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE
|
|
File path to the optional file containing the additional authenticated
|
|
data.
|
|
|
|
--key=KEY
|
|
Cloud KMS key to use for decryption.
|
|
◆ For symmetric keys, Cloud KMS detects the decryption key version
|
|
from the ciphertext. If you specify a key version as part of a
|
|
symmetric decryption request, an error is logged and decryption
|
|
fails.
|
|
◆ For asymmetric keys, the encryption key version can't be detected
|
|
automatically. You must keep track of this information and provide
|
|
the key version in the decryption request. The key version itself is
|
|
not sensitive data and does not need to be encrypted.
|
|
|
|
--keyring=KEYRING
|
|
Key ring of the key.
|
|
|
|
--location=LOCATION
|
|
Location of the keyring.
|
|
|
|
--skip-integrity-verification
|
|
Skip integrity verification on request and response API fields.
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
NOTES
|
|
This command is currently in beta and might change without notice. These
|
|
variants are also available:
|
|
|
|
$ gcloud kms decrypt
|
|
|
|
$ gcloud alpha kms decrypt
|
|
|