gcloud-kms-decrypt

Decrypt file

$ gcloud kms decrypt --ciphertext-file=[encrypted.enc] --plaintext-file=[decrypted.txt] --key=[key] --keyring=[keyring] --location=[global]

$ cat [encrypted.enc] | gcloud kms decrypt --ciphertext-file=- --plaintext-file=[output.txt] --key=[key] --keyring=[keyring] --location=[global]

$ gcloud kms decrypt --ciphertext-file=[encrypted.enc] --plaintext-file=- --key=[key] --keyring=[keyring] --location=[global]

gcloud kms decrypt [options]

gcloud kms decrypt uses Cloud Key Management Service to decrypt data that was previously encrypted with a Cloud KMS key. KMS provides centralized cryptographic key management, separating key storage and access control from the applications that use them.
The decryption operation requires specifying the exact key, keyring, and location used during encryption. Access to decrypt is controlled by IAM permissions on the key, allowing fine-grained control over who can decrypt sensitive data. This enables secure secrets management where encrypted data can be stored in version control or configuration files while keys remain secured in KMS.
The command supports reading from files or stdin and writing to files or stdout, enabling integration into pipelines and scripts. Cloud KMS is commonly used for envelope encryption, where data encryption keys are themselves encrypted by KMS keys, providing an additional security layer. This is the standard pattern for encrypting application secrets, database credentials, and other sensitive configuration data in Google Cloud environments.

--ciphertext-file FILE

Encrypted input file.

Decrypted output file.

Crypto key name.

Key ring name.

Key location.

Display help information.

Requires KMS permissions. Key must match encryption key. Location must be correct.

gcloud kms decrypt is part of the Google Cloud SDK for Cloud KMS, Google's managed service for cryptographic key management.

gcloud(1), gcloud-kms-encrypt(1)