Decrypting Data

Learn how to decrypt data with a master encryption key using either the CLI or API. Note that this operation can't be performed in the OCI Console.

• Console
• CLI
• API

• This task isn't available in the OCI Console.

• Note
  
  You can use either AES symmetric keys or RSA asymmetric keys to encrypt or decrypt data. ECDSA keys don't support vault cryptography required to encrypt or decrypt data. To decrypt data by using an RSA asymmetric key, if the key has been rotated and has a key version identifier, you must also provide the --key-version-id of the key. To decrypt the data, you must provide the same --key-version-id. The need to track key versions exists because, unlike symmetric keys, an asymmetric key's ciphertext doesn't contain the information that the service needs for decryption purposes.

  Open a command prompt and run oci kms crypto decrypt to decrypt data.

  RSA keys: Note that the --encryption-algorithm parameter must be included in the command for RSA keys. To decrypt data with an RSA key, use the following command. If you haven't rotated the key, you don't need the --key-version-id flag:

  oci kms crypto decrypt --key-id <key_OCID> --key-version-id <key_version_OCID> --ciphertext <ciphertext> --endpoint <cryptographic_endpoint> --encryption-algorithm <encryption_algorithm>

  Example: RSA key, encryption algorithm RSA_OAEP_SHA_256

  oci kms crypto decrypt --key-id ocid1.key.oc1.ap-mumbai-1.example123eu6.abrg6ljrn4j3fyhrx4kttej5hj2lxjfzywwuc7353frutrut2i5cw6fshtwa --ciphertext example123nR2ZtkUOobWRHVs4/nbrKElKBuyPdUnNBnOyd1w0F78+Ch31Pb+BrDCiftpx/example123+IaKZzLZOA/vazlz2nlqQIVSHpXL82nbj1wiVhaInoB2NiVGmDJRJwXxOsdllkkmmtdCScCDB3t2KbBniX4zRxyndv+b47hZw/jaRrN/w2X7gFsFi/example123n3zjE+/example123RR56nAbrITj3xc/example123d7RA35AU7W1p+b8P3pfXEn1OTu3HWENNe5SavPGBwkVsfbXv45ht1kTP9gpkDYMN7PhWxJHQqQFIKoVJscV1uvgNT9OLo9xEsfx7MXMnKA7VJrU1S/example1237p5o+RlWoksWfH2s2IyBML5Z5wX8cArTN1zisSluTlJYJMoM3pexaECrT0ObyajL2TmXY93P2AN7vgmO4OzaEwgvk2ImUt/example123B96Vn1kXYUjmSWQYQMmRkyMTRtPq8Bd92QmIvG31erkJ+984DWhtGSJka5zllhmcMLSObYIFw6A/example123qwhX+WxlMxCOPgb0c0g9LrIx7i0cVvwLhZPX1g2EhoB5yv2Gt5WSH40MxvnUPRKElqbj0e8c8aUsrlqazzfceNufRLHrv6l2IVSVTKX6VVgM1AGpJaoUbCTn4= --endpoint https://example123eu6-crypto.kms.ap-mumbai-1.oraclecloud.com --encryption-algorithm RSA_OAEP_SHA_256

  AES keys: To decrypt data with an AES key, use the following command:

  oci kms crypto decrypt --key-id <key_OCID> --ciphertext <ciphertext> --endpoint <cryptographic_endpoint>

  Example: AES key with AES_256_GCM algorithm

  oci kms crypto decrypt --key-id ocid1.key.oc1.ap-mumbai-1.example123eu6.abrg6ljrslqbj6uqmbi5w7ystmdli2tbzlam7wqr3qtznlvghjhmw2macsea --ciphertext example123iYAD9owuLfMJ/QranyQuagBZmBXbeNOcu7HNDtw2fnMOfoAAAAAA== --endpoint https://example123eu6-crypto.kms.ap-mumbai-1.oraclecloud.com  --encryption-algorithm AES_256_GCM

  For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

• Use the Decrypt API with the Cryptographic Endpoint to decrypt data.

  Note
  
  

  The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGMENT endpoint.

  The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.

  You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.

  For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.

  For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.