gcloud-kms-decrypt

Decrypt a file using a specified key, key ring, and location

$ gcloud kms decrypt --key=[key_name] --keyring=[keyring_name] --location=[global] --ciphertext-file=[path/to/ciphertext] --plaintext-file=[path/to/plaintext]

$ gcloud kms decrypt --key=[key_name] --keyring=[keyring_name] --location=[global] --additional-authenticated-data-file=[path/to/file.aad] --ciphertext-file=[path/to/ciphertext] --plaintext-file=-

gcloud kms decrypt CIPHERTEXT-FILE
[--ciphertext-file=CIPHERTEXT-FILE] [--plaintext-file=PLAINTEXT-FILE]
[--location=LOCATION] [--keyring=KEYRING] [--key=KEY] [--key-version=KEY_VERSION]
[--authentication-token-file=AUTH_TOKEN_FILE] [--project=PROJECT]
[GCLOUD-WIDE-FLAGS]

--authentication-token-file
    File containing authentication token for additional auth

--ciphertext-file
    File with base64-encoded ciphertext (overrides positional arg)

--key
    KMS key ID used for decryption

--keyring
    KMS keyring containing the key

--key-version
    Specific key version (defaults to primary)

--location
    Location (e.g., global, us-central1) of keyring

--plaintext-file
    Output file for decrypted plaintext (stdout if omitted)

--project
    Google Cloud project ID

The gcloud kms decrypt command is a subcommand of the Google Cloud CLI (gcloud) used to decrypt data encrypted with Cloud Key Management Service (KMS). It processes ciphertext generated by gcloud kms encrypt or asymmetric signing operations, returning the original plaintext.

Users specify the KMS key via --location, --keyring, and --key (optionally --key-version). Ciphertext is read from a file (--ciphertext-file) or stdin (positional argument), and plaintext is written to a file (--plaintext-file) or stdout. This ensures secure handling of sensitive data without exposing keys client-side.

Common use cases include decrypting application secrets, database credentials, or configuration files stored encrypted in version control or cloud storage. Requires proper IAM roles like roles/cloudkms.cryptoKeyDecrypter. Supports both symmetric and asymmetric keys, with protection levels like HSM or software.

Output is base64-encoded if input was, preserving data integrity. Integrates with other gcloud services for automated workflows.

Requires gcloud auth login and IAM decrypt permissions. Ciphertext must match key specs. No direct stdin/stdout piping without files in some configs. Asymmetric decrypts need matching public key format.

gcloud kms decrypt secret.txt.cipher --ciphertext-file=secret.txt.cipher --location=global --keyring=my-ring --key=my-key --plaintext-file=secret.txt
Decrypts file using specified key.

Install via gcloud components install. Needs cloud-platform scope or service account.

Introduced in Google Cloud SDK v200+. Evolved with gcloud CLI unification in 2018, adding support for multi-region keys and customer-managed EKM in 2020+. Tracks Cloud KMS API v1.

gcloud kms encrypt(1), gcloud(1), openssl(1)