gcloud_alpha_kms_decrypt (1)
NAME
- gcloud alpha kms decrypt - decrypt a ciphertext file using a Cloud KMS key
SYNOPSIS
-
gcloud alpha kms decrypt --ciphertext-file=CIPHERTEXT_FILE --plaintext-file=PLAINTEXT_FILE [--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE] [--key=KEY] [--keyring=KEYRING] [--location=LOCATION] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) gcloud alpha kms decrypt decrypts the given ciphertext file using
Additional authenticated data (AAD) is used as an additional check by Cloud KMS to authenticate a decryption request. If an additional authenticated data file is provided, its contents must match the additional authenticated data provided during encryption and must not be larger than 64KiB. If you don't provide a value for --additional-authenticated-data-file, an empty string is used. For a thorough explanation of AAD, refer to this guide: cloud.google.com/kms/docs/additional-authenticated-data
If --ciphertext-file or --additional-authenticated-data-file is set to '-', that file is read from stdin. Note that both files cannot be read from stdin. Similarly, if --plaintext-file is set to '-', the decrypted plaintext is written to stdout.
REQUIRED FLAGS
-
- --ciphertext-file=CIPHERTEXT_FILE
-
File path of the ciphertext file to decrypt.
- --plaintext-file=PLAINTEXT_FILE
-
File path of the plaintext file to output.
OPTIONAL FLAGS
-
- --additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE
-
File path to the optional file containing the additional authenticated data.
- --key=KEY
-
Cloud KMS key to use for decryption.
- --keyring=KEYRING
-
Key ring of the key.
- --location=LOCATION
-
Location of the keyring.
GCLOUD WIDE FLAGS
These flags are available to all commands: --account, --configuration, --flags-file, --flatten, --format, --help, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity. Run $ gcloud help for details.
EXAMPLES
To decrypt the file 'path/to/ciphertext' using the key frodo with key ring fellowship and location global and write the plaintext to 'path/to/plaintext.dec', run:
-
$ gcloud alpha kms decrypt \
--key=frodo \
--keyring=fellowship \
--location=global \
--ciphertext-file=path/to/input/ciphertext \
--plaintext-file=path/to/output/plaintext.dec
To decrypt the file 'path/to/ciphertext' using the key frodo and the additional authenticated data that was used to encrypt the ciphertext, and write the decrypted plaintext to stdout, run:
-
$ gcloud alpha kms decrypt \
--key=frodo \
--keyring=fellowship \
--location=global \
--additional-authenticated-data-file=path/to/aad \
--ciphertext-file=path/to/input/ciphertext \
--plaintext-file='-'
NOTES
This command is currently in ALPHA and may change without notice. If this command fails with API permission errors despite specifying the right project, you will have to apply for early access and have your projects registered on the API whitelist to use it. To do so, contact Support at cloud.google.com/support These variants are also available:
- $ gcloud kms decrypt $ gcloud beta kms decrypt