gcloud alpha kms decrypt

NAME
gcloud alpha kms decrypt - decrypt a ciphertext file using a Cloud KMS key
SYNOPSIS
gcloud alpha kms decrypt--ciphertext-file=CIPHERTEXT_FILE--plaintext-file=PLAINTEXT_FILE[--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE][--key=KEY][--keyring=KEYRING][--location=LOCATION][--skip-integrity-verification][GCLOUD_WIDE_FLAG]
DESCRIPTION
(ALPHA)gcloud alpha kms decrypt decrypts the givenciphertext file using the given Cloud KMS key and writes the result to the namedplaintext file. Note that to permit users to decrypt using a key, they must behave at least one of the following IAM roles for that key:roles/cloudkms.cryptoKeyDecrypter,roles/cloudkms.cryptoKeyEncrypterDecrypter.

Additional authenticated data (AAD) is used as an additional check by Cloud KMSto authenticate a decryption request. If an additional authenticated data fileis provided, its contents must match the additional authenticated data providedduring encryption and must not be larger than 64KiB. If you don't provide avalue for--additional-authenticated-data-file, an empty string isused. For a thorough explanation of AAD, refer to this guide:https://cloud.google.com/kms/docs/additional-authenticated-data

If--ciphertext-file or--additional-authenticated-data-file is set to '-', that file isread from stdin. Note that both files cannot be read from stdin. Similarly, if--plaintext-file is set to '-', the decrypted plaintext is writtento stdout.

By default, the command performs integrity verification on data sent to andreceived from Cloud KMS. Use--skip-integrity-verification todisable integrity verification.

EXAMPLES
To decrypt the file 'path/to/ciphertext' using the keyfrodo withkey ringfellowship and locationglobal and write theplaintext to 'path/to/plaintext.dec', run:
gcloudalphakmsdecrypt--key=frodo--keyring=fellowship--location=global--ciphertext-file=path/to/input/ciphertext--plaintext-file=path/to/output/plaintext.dec

To decrypt the file 'path/to/ciphertext' using the keyfrodo andthe additional authenticated data that was used to encrypt the ciphertext, andwrite the decrypted plaintext to stdout, run:

gcloudalphakmsdecrypt--key=frodo--keyring=fellowship--location=global--additional-authenticated-data-file=path/to/aad--ciphertext-file=path/to/input/ciphertext--plaintext-file='-'
REQUIRED FLAGS
--ciphertext-file=CIPHERTEXT_FILE
File path of the ciphertext file to decrypt. This file should contain the resultof encrypting a file withgcloud kms encrypt.
--plaintext-file=PLAINTEXT_FILE
File path of the plaintext file to output.
OPTIONAL FLAGS
--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE
File path to the optional file containing the additional authenticated data.
--key=KEY
Cloud KMS key to use for decryption.
  • For symmetric keys, Cloud KMS detects the decryption key version from theciphertext. If you specify a key version as part of a symmetric decryptionrequest, an error is logged and decryption fails.
  • For asymmetric keys, the encryption key version can't be detected automatically.You must keep track of this information and provide the key version in thedecryption request. The key version itself is not sensitive data and does notneed to be encrypted.
--keyring=KEYRING
Key ring of the key.
--location=LOCATION
Location of the keyring.
--skip-integrity-verification
Skip integrity verification on request and response API fields.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. These variants are also available:
gcloudkmsdecrypt
gcloudbetakmsdecrypt

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-07 UTC.