HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/394/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/394/help/man/man1/gcloud_alpha_kms_decrypt.1
.TH "GCLOUD_ALPHA_KMS_DECRYPT" 1



.SH "NAME"
.HP
gcloud alpha kms decrypt \- decrypt a ciphertext file using a Cloud KMS key



.SH "SYNOPSIS"
.HP
\f5gcloud alpha kms decrypt\fR \fB\-\-ciphertext\-file\fR=\fICIPHERTEXT_FILE\fR \fB\-\-plaintext\-file\fR=\fIPLAINTEXT_FILE\fR [\fB\-\-additional\-authenticated\-data\-file\fR=\fIADDITIONAL_AUTHENTICATED_DATA_FILE\fR] [\fB\-\-key\fR=\fIKEY\fR] [\fB\-\-keyring\fR=\fIKEYRING\fR] [\fB\-\-location\fR=\fILOCATION\fR] [\fB\-\-skip\-integrity\-verification\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(ALPHA)\fR \f5gcloud alpha kms decrypt\fR decrypts the given ciphertext file
using the given Cloud KMS key and writes the result to the named plaintext file.
Note that to permit users to decrypt using a key, they must be have at least one
of the following IAM roles for that key:
\f5roles/cloudkms.cryptoKeyDecrypter\fR,
\f5roles/cloudkms.cryptoKeyEncrypterDecrypter\fR.

Additional authenticated data (AAD) is used as an additional check by Cloud KMS
to authenticate a decryption request. If an additional authenticated data file
is provided, its contents must match the additional authenticated data provided
during encryption and must not be larger than 64KiB. If you don't provide a
value for \f5\-\-additional\-authenticated\-data\-file\fR, an empty string is
used. For a thorough explanation of AAD, refer to this guide:
https://cloud.google.com/kms/docs/additional\-authenticated\-data

If \f5\-\-ciphertext\-file\fR or \f5\-\-additional\-authenticated\-data\-file\fR
is set to '\-', that file is read from stdin. Note that both files cannot be
read from stdin. Similarly, if \f5\-\-plaintext\-file\fR is set to '\-', the
decrypted plaintext is written to stdout.

By default, the command performs integrity verification on data sent to and
received from Cloud KMS. Use \f5\-\-skip\-integrity\-verification\fR to disable
integrity verification.



.SH "EXAMPLES"

To decrypt the file 'path/to/ciphertext' using the key \f5frodo\fR with key ring
\f5fellowship\fR and location \f5global\fR and write the plaintext to
\'path/to/plaintext.dec', run:

.RS 2m
$ gcloud alpha kms decrypt \-\-key=frodo \-\-keyring=fellowship \e
    \-\-location=global \-\-ciphertext\-file=path/to/input/ciphertext \e
    \-\-plaintext\-file=path/to/output/plaintext.dec
.RE

To decrypt the file 'path/to/ciphertext' using the key \f5frodo\fR and the
additional authenticated data that was used to encrypt the ciphertext, and write
the decrypted plaintext to stdout, run:

.RS 2m
$ gcloud alpha kms decrypt \-\-key=frodo \-\-keyring=fellowship \e
    \-\-location=global \e
    \-\-additional\-authenticated\-data\-file=path/to/aad \e
    \-\-ciphertext\-file=path/to/input/ciphertext \-\-plaintext\-file='\-'
.RE



.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-ciphertext\-file\fR=\fICIPHERTEXT_FILE\fR

File path of the ciphertext file to decrypt. This file should contain the result
of encrypting a file with \f5gcloud kms encrypt\fR.

.TP 2m
\fB\-\-plaintext\-file\fR=\fIPLAINTEXT_FILE\fR

File path of the plaintext file to output.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-additional\-authenticated\-data\-file\fR=\fIADDITIONAL_AUTHENTICATED_DATA_FILE\fR

File path to the optional file containing the additional authenticated data.

.TP 2m
\fB\-\-key\fR=\fIKEY\fR

Cloud KMS key to use for decryption.
.RS 2m
.IP "\(em" 2m
For symmetric keys, Cloud KMS detects the decryption key version from the
ciphertext. If you specify a key version as part of a symmetric decryption
request, an error is logged and decryption fails.
.IP "\(em" 2m
For asymmetric keys, the encryption key version can't be detected automatically.
You must keep track of this information and provide the key version in the
decryption request. The key version itself is not sensitive data and does not
need to be encrypted.
.RE
.sp

.TP 2m
\fB\-\-keyring\fR=\fIKEYRING\fR

Key ring of the key.

.TP 2m
\fB\-\-location\fR=\fILOCATION\fR

Location of the keyring.

.TP 2m
\fB\-\-skip\-integrity\-verification\fR

Skip integrity verification on request and response API fields.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation\-only early access
allowlist. These variants are also available:

.RS 2m
$ gcloud kms decrypt
.RE

.RS 2m
$ gcloud beta kms decrypt
.RE
@ Telegram