HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/396/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/396/help/man/man1/gcloud_alpha_kms_raw-decrypt.1
.TH "GCLOUD_ALPHA_KMS_RAW\-DECRYPT" 1



.SH "NAME"
.HP
gcloud alpha kms raw\-decrypt \- decrypt a ciphertext file using a raw key



.SH "SYNOPSIS"
.HP
\f5gcloud alpha kms raw\-decrypt\fR \fB\-\-ciphertext\-file\fR=\fICIPHERTEXT_FILE\fR \fB\-\-plaintext\-file\fR=\fIPLAINTEXT_FILE\fR \fB\-\-version\fR=\fIVERSION\fR [\fB\-\-additional\-authenticated\-data\-file\fR=\fIADDITIONAL_AUTHENTICATED_DATA_FILE\fR] [\fB\-\-initialization\-vector\-file\fR=\fIINITIALIZATION_VECTOR_FILE\fR] [\fB\-\-key\fR=\fIKEY\fR] [\fB\-\-keyring\fR=\fIKEYRING\fR] [\fB\-\-location\fR=\fILOCATION\fR] [\fB\-\-skip\-integrity\-verification\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(ALPHA)\fR \f5gcloud alpha kms raw\-decrypt\fR decrypts the given ciphertext
file using the given CryptoKey containing a raw key and writes the result to the
named plaintext file. The ciphertext file must not be larger than 64KiB.

The supported algorithms are: \f5AES\-128\-GCM\fR, \f5AES\-256\-GCM\fR,
\f5AES\-128\-CBC\fR, \f5AES\-256\-CBC\fR, \f5AES\-128\-CTR\fR, \f5and
AES\-256\-CTR\fR.

\f5AES\-GCM\fR provides authentication which means that it accepts additional
authenticated data (AAD). So, the flag
\f5\-\-additional\-authenticated\-data\-file\fR is only valid with
\f5AES\-128\-GCM\fR and \f5AES\-256\-GCM\fR algorithms. If AAD is provided
during encryption, it must be provided during decryption too. The file must not
be larger than 64KiB.

If \f5\-\-plaintext\-file\fR or \f5\-\-additional\-authenticated\-data\-file\fR
or \f5\-\-initialization\-vector\-file\fR is set to '\-', that file is read from
stdin. Similarly, if \f5\-\-ciphertext\-file\fR is set to '\-', the ciphertext
is written to stdout.

By default, the command performs integrity verification on data sent to and
received from Cloud KMS. Use \f5\-\-skip\-integrity\-verification\fR to disable
integrity verification.



.SH "EXAMPLES"

The following command reads and decrypts the file
\f5path/to/input/ciphertext\fR. The file will be decrypted using the CryptoKey
\f5KEYNAME\fR containing a raw key, from the KeyRing \f5KEYRING\fR in the
\f5global\fR location. It uses the additional authenticated data file
\f5path/to/input/aad\fR (only valid with the \f5AES\-GCM\fR algorithms) and the
initialization vector file \f5path/to/input/iv\fR. The resulting plaintext will
be written to \f5path/to/output/plaintext\fR.

.RS 2m
$ gcloud alpha kms raw\-decrypt \-\-key=KEYNAME \-\-keyring=KEYRING \e
    \-\-location=global \-\-ciphertext\-file=path/to/input/ciphertext \e
    \-\-additional\-authenticated\-data\-file=path/to/input/aad \e
    \-\-initialization\-vector\-file=path/to/input/iv \e
    \-\-plaintext\-file=path/to/output/plaintext
.RE



.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-ciphertext\-file\fR=\fICIPHERTEXT_FILE\fR

File path of the ciphertext file to decrypt.

.TP 2m
\fB\-\-plaintext\-file\fR=\fIPLAINTEXT_FILE\fR

File path of the plaintext file to store the decrypted data.

.TP 2m
\fB\-\-version\fR=\fIVERSION\fR

Version to use for decryption.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-additional\-authenticated\-data\-file\fR=\fIADDITIONAL_AUTHENTICATED_DATA_FILE\fR

File path to the optional file containing the additional authenticated data.

.TP 2m
\fB\-\-initialization\-vector\-file\fR=\fIINITIALIZATION_VECTOR_FILE\fR

File path to the optional file containing the initialization vector for
decryption.

.TP 2m
\fB\-\-key\fR=\fIKEY\fR

The (raw) key to use for decryption.

.TP 2m
\fB\-\-keyring\fR=\fIKEYRING\fR

Key ring of the key.

.TP 2m
\fB\-\-location\fR=\fILOCATION\fR

Location of the keyring.

.TP 2m
\fB\-\-skip\-integrity\-verification\fR

Skip integrity verification on request and response API fields.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation\-only early access
allowlist. These variants are also available:

.RS 2m
$ gcloud kms raw\-decrypt
.RE

.RS 2m
$ gcloud beta kms raw\-decrypt
.RE
@ Telegram