- NAME
- 
- gcloud beta kms decrypt - decrypt a ciphertext file using a Cloud KMS key
 
- SYNOPSIS
- 
- 
gcloud beta kms decrypt--ciphertext-file=CIPHERTEXT_FILE--plaintext-file=PLAINTEXT_FILE[--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE] [--key=KEY] [--keyring=KEYRING] [--location=LOCATION] [--skip-integrity-verification] [GCLOUD_WIDE_FLAG …]
 
- 
- DESCRIPTION
- 
(BETA)gcloud beta kms decryptdecrypts the given ciphertext file using the given Cloud KMS key and writes the result to the named plaintext file. Note that to permit users to decrypt using a key, they must be have at least one of the following IAM roles for that key:roles/cloudkms.cryptoKeyDecrypter,roles/cloudkms.cryptoKeyEncrypterDecrypter.Additional authenticated data (AAD) is used as an additional check by Cloud KMS to authenticate a decryption request. If an additional authenticated data file is provided, its contents must match the additional authenticated data provided during encryption and must not be larger than 64KiB. If you don't provide a value for --additional-authenticated-data-file, an empty string is used. For a thorough explanation of AAD, refer to this guide: https://cloud.google.com/kms/docs/additional-authenticated-dataIf --ciphertext-fileor--additional-authenticated-data-fileis set to '-', that file is read from stdin. Note that both files cannot be read from stdin. Similarly, if--plaintext-fileis set to '-', the decrypted plaintext is written to stdout.By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use --skip-integrity-verificationto disable integrity verification.
- EXAMPLES
- 
To decrypt the file 'path/to/ciphertext' using the key frodowith key ringfellowshipand locationglobaland write the plaintext to 'path/to/plaintext.dec', run:gcloud beta kms decrypt --key=frodo --keyring=fellowship --location=global --ciphertext-file=path/to/input/ciphertext --plaintext-file=path/to/output/plaintext.decTo decrypt the file 'path/to/ciphertext' using the key frodoand the additional authenticated data that was used to encrypt the ciphertext, and write the decrypted plaintext to stdout, run:gcloud beta kms decrypt --key=frodo --keyring=fellowship --location=global --additional-authenticated-data-file=path/to/aad --ciphertext-file=path/to/input/ciphertext --plaintext-file='-'
- REQUIRED FLAGS
- 
- --ciphertext-file=- CIPHERTEXT_FILE
- 
File path of the ciphertext file to decrypt. This file should contain the result
of encrypting a file with gcloud kms encrypt.
- --plaintext-file=- PLAINTEXT_FILE
- File path of the plaintext file to output.
 
- OPTIONAL FLAGS
- 
- --additional-authenticated-data-file=- ADDITIONAL_AUTHENTICATED_DATA_FILE
- File path to the optional file containing the additional authenticated data.
- --key=- KEY
- 
Cloud KMS key to use for decryption.
- For symmetric keys, Cloud KMS detects the decryption key version from the ciphertext. If you specify a key version as part of a symmetric decryption request, an error is logged and decryption fails.
- For asymmetric keys, the encryption key version can't be detected automatically. You must keep track of this information and provide the key version in the decryption request. The key version itself is not sensitive data and does not need to be encrypted.
 
- --keyring=- KEYRING
- Key ring of the key.
- --location=- LOCATION
- Location of the keyring.
- --skip-integrity-verification
- Skip integrity verification on request and response API fields.
 
- GCLOUD WIDE FLAGS
- 
These flags are available to all commands: --access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run $ gcloud helpfor details.
- NOTES
- 
This command is currently in beta and might change without notice. These
variants are also available:
gcloud kms decryptgcloud alpha kms decrypt
      gcloud beta kms decrypt
  
  Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-05-07 UTC.