HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/396/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/396/help/man/man1/gcloud_kms_raw-decrypt.1
.TH "GCLOUD_KMS_RAW\-DECRYPT" 1



.SH "NAME"
.HP
gcloud kms raw\-decrypt \- decrypt a ciphertext file using a raw key



.SH "SYNOPSIS"
.HP
\f5gcloud kms raw\-decrypt\fR \fB\-\-ciphertext\-file\fR=\fICIPHERTEXT_FILE\fR \fB\-\-plaintext\-file\fR=\fIPLAINTEXT_FILE\fR \fB\-\-version\fR=\fIVERSION\fR [\fB\-\-additional\-authenticated\-data\-file\fR=\fIADDITIONAL_AUTHENTICATED_DATA_FILE\fR] [\fB\-\-initialization\-vector\-file\fR=\fIINITIALIZATION_VECTOR_FILE\fR] [\fB\-\-key\fR=\fIKEY\fR] [\fB\-\-keyring\fR=\fIKEYRING\fR] [\fB\-\-location\fR=\fILOCATION\fR] [\fB\-\-skip\-integrity\-verification\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\f5gcloud kms raw\-decrypt\fR decrypts the given ciphertext file using the given
CryptoKey containing a raw key and writes the result to the named plaintext
file. The ciphertext file must not be larger than 64KiB.

The supported algorithms are: \f5AES\-128\-GCM\fR, \f5AES\-256\-GCM\fR,
\f5AES\-128\-CBC\fR, \f5AES\-256\-CBC\fR, \f5AES\-128\-CTR\fR, \f5and
AES\-256\-CTR\fR.

\f5AES\-GCM\fR provides authentication which means that it accepts additional
authenticated data (AAD). So, the flag
\f5\-\-additional\-authenticated\-data\-file\fR is only valid with
\f5AES\-128\-GCM\fR and \f5AES\-256\-GCM\fR algorithms. If AAD is provided
during encryption, it must be provided during decryption too. The file must not
be larger than 64KiB.

If \f5\-\-plaintext\-file\fR or \f5\-\-additional\-authenticated\-data\-file\fR
or \f5\-\-initialization\-vector\-file\fR is set to '\-', that file is read from
stdin. Similarly, if \f5\-\-ciphertext\-file\fR is set to '\-', the ciphertext
is written to stdout.

By default, the command performs integrity verification on data sent to and
received from Cloud KMS. Use \f5\-\-skip\-integrity\-verification\fR to disable
integrity verification.



.SH "EXAMPLES"

The following command reads and decrypts the file
\f5path/to/input/ciphertext\fR. The file will be decrypted using the CryptoKey
\f5KEYNAME\fR containing a raw key, from the KeyRing \f5KEYRING\fR in the
\f5global\fR location. It uses the additional authenticated data file
\f5path/to/input/aad\fR (only valid with the \f5AES\-GCM\fR algorithms) and the
initialization vector file \f5path/to/input/iv\fR. The resulting plaintext will
be written to \f5path/to/output/plaintext\fR.

.RS 2m
$ gcloud kms raw\-decrypt \-\-key=KEYNAME \-\-keyring=KEYRING \e
    \-\-location=global \-\-ciphertext\-file=path/to/input/ciphertext \e
    \-\-additional\-authenticated\-data\-file=path/to/input/aad \e
    \-\-initialization\-vector\-file=path/to/input/iv \e
    \-\-plaintext\-file=path/to/output/plaintext
.RE



.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-ciphertext\-file\fR=\fICIPHERTEXT_FILE\fR

File path of the ciphertext file to decrypt.

.TP 2m
\fB\-\-plaintext\-file\fR=\fIPLAINTEXT_FILE\fR

File path of the plaintext file to store the decrypted data.

.TP 2m
\fB\-\-version\fR=\fIVERSION\fR

Version to use for decryption.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-additional\-authenticated\-data\-file\fR=\fIADDITIONAL_AUTHENTICATED_DATA_FILE\fR

File path to the optional file containing the additional authenticated data.

.TP 2m
\fB\-\-initialization\-vector\-file\fR=\fIINITIALIZATION_VECTOR_FILE\fR

File path to the optional file containing the initialization vector for
decryption.

.TP 2m
\fB\-\-key\fR=\fIKEY\fR

The (raw) key to use for decryption.

.TP 2m
\fB\-\-keyring\fR=\fIKEYRING\fR

Key ring of the key.

.TP 2m
\fB\-\-location\fR=\fILOCATION\fR

Location of the keyring.

.TP 2m
\fB\-\-skip\-integrity\-verification\fR

Skip integrity verification on request and response API fields.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

These variants are also available:

.RS 2m
$ gcloud alpha kms raw\-decrypt
.RE

.RS 2m
$ gcloud beta kms raw\-decrypt
.RE
@ Telegram