1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 18:45:13 +00:00
gcloud-help/gcloud/beta/kms/raw-decrypt
2023-08-02 11:22:33 +00:00

96 lines
3.8 KiB
Text

NAME
gcloud beta kms raw-decrypt - decrypt a ciphertext file using a raw key
SYNOPSIS
gcloud beta kms raw-decrypt --ciphertext-file=CIPHERTEXT_FILE
--plaintext-file=PLAINTEXT_FILE
[--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE]
[--initialization-vector-file=INITIALIZATION_VECTOR_FILE] [--key=KEY]
[--keyring=KEYRING] [--location=LOCATION]
[--skip-integrity-verification] [--version=VERSION]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) gcloud beta kms raw-decrypt decrypts the given ciphertext file using
the given CryptoKey containing a raw key and writes the result to the named
plaintext file. The ciphertext file must not be larger than 64KiB.
The supported algorithms are: AES-128-GCM, AES-256-GCM, AES-128-CBC,
AES-256-CBC, AES-128-CTR, and AES-256-CTR.
AES-GCM provides authentication which means that it accepts additional
authenticated data (AAD). So, the flag --additional-authenticated-data-file
is only valid with AES-128-GCM and AES-256-GCM algorithms. If AAD is
provided during encryption, it must be provided during decryption too. The
file must not be larger than 64KiB.
If --plaintext-file or --additional-authenticated-data-file or
--initialization-vector-file is set to '-', that file is read from stdin.
Similarly, if --ciphertext-file is set to '-', the ciphertext is written to
stdout.
By default, the command performs integrity verification on data sent to and
received from Cloud KMS. Use --skip-integrity-verification to disable
integrity verification.
EXAMPLES
The following command reads and decrypts the file path/to/input/ciphertext.
The file will be decrypted using the CryptoKey KEYNAME containing a raw
key, from the KeyRing KEYRING in the global location. It uses the
additional authenticated data file path/to/input/aad (only valid with the
AES-GCM algorithms) and the initialization vector file path/to/input/iv.
The resulting plaintext will be written to path/to/output/plaintext.
$ gcloud beta kms raw-decrypt --key=KEYNAME --keyring=KEYRING \
--location=global --ciphertext-file=path/to/input/ciphertext \
--additional-authenticated-data-file=path/to/input/aad \
--initialization-vector-file=path/to/input/iv \
--plaintext-file=path/to/output/plaintext
REQUIRED FLAGS
--ciphertext-file=CIPHERTEXT_FILE
File path of the ciphertext file to decrypt.
--plaintext-file=PLAINTEXT_FILE
File path of the plaintext file to store the decrypted data.
OPTIONAL FLAGS
--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE
File path to the optional file containing the additional authenticated
data.
--initialization-vector-file=INITIALIZATION_VECTOR_FILE
File path to the optional file containing the initialization vector for
decryption.
--key=KEY
The (raw) key to use for decryption.
--keyring=KEYRING
Key ring of the key.
--location=LOCATION
Location of the keyring.
--skip-integrity-verification
Skip integrity verification on request and response API fields.
--version=VERSION
Version to use for decryption.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. These
variants are also available:
$ gcloud kms raw-decrypt
$ gcloud alpha kms raw-decrypt