Method: cryptoKeyVersions.rawDecrypt

Full name: projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.rawDecrypt

Decrypts data that was originally encrypted using a raw cryptographic mechanism. The CryptoKey.purpose must be RAW_ENCRYPT_DECRYPT.

HTTP request

POST https://cloudkms.googleapis.com/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:rawDecrypt

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
name

string

Required. The resource name of the CryptoKeyVersion to use for decryption.

Authorization requires the following IAM permission on the specified resource name:

  • cloudkms.cryptoKeyVersions.useToDecrypt

Request body

The request body contains data with the following structure:

JSON representation 
{
  "ciphertext": string,
  "additionalAuthenticatedData": string,
  "initializationVector": string,
  "tagLength": integer,
  "ciphertextCrc32c": string,
  "additionalAuthenticatedDataCrc32c": string,
  "initializationVectorCrc32c": string
}
Fields
ciphertext

string (bytes format)

Required. The encrypted data originally returned in RawEncryptResponse.ciphertext.

A base64-encoded string.
additionalAuthenticatedData

string (bytes format)

Optional. Optional data that must match the data originally supplied in RawEncryptRequest.additional_authenticated_data.

A base64-encoded string.
initializationVector

string (bytes format)

Required. The initialization vector (IV) used during encryption, which must match the data originally provided in RawEncryptResponse.initialization_vector.

A base64-encoded string.
tagLength

integer

The length of the authentication tag that is appended to the end of the ciphertext. If unspecified (0), the default value for the key's algorithm will be used (for AES-GCM, the default value is 16).
ciphertextCrc32c

string (Int64Value format)

Optional. An optional CRC32C checksum of the RawDecryptRequest.ciphertext. If specified, KeyManagementService will verify the integrity of the received ciphertext using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(ciphertext) is equal to ciphertextCrc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
additionalAuthenticatedDataCrc32c

string (Int64Value format)

Optional. An optional CRC32C checksum of the RawDecryptRequest.additional_authenticated_data. If specified, KeyManagementService will verify the integrity of the received additionalAuthenticatedData using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(additionalAuthenticatedData) is equal to additionalAuthenticatedDataCrc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
initializationVectorCrc32c

string (Int64Value format)

Optional. An optional CRC32C checksum of the RawDecryptRequest.initialization_vector. If specified, KeyManagementService will verify the integrity of the received initializationVector using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(initializationVector) is equal to initializationVectorCrc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

Response body

Response message for KeyManagementService.RawDecrypt.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "plaintext": string,
  "plaintextCrc32c": string,
  "protectionLevel": enum (ProtectionLevel),
  "verifiedCiphertextCrc32c": boolean,
  "verifiedAdditionalAuthenticatedDataCrc32c": boolean,
  "verifiedInitializationVectorCrc32c": boolean
}
Fields
plaintext

string (bytes format)

The decrypted data.

A base64-encoded string.
plaintextCrc32c

string (Int64Value format)

Integrity verification field. A CRC32C checksum of the returned RawDecryptResponse.plaintext. An integrity check of plaintext can be performed by computing the CRC32C checksum of plaintext and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: receiving this response message indicates that KeyManagementService is able to successfully decrypt the ciphertext. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
protectionLevel

enum (ProtectionLevel)

The ProtectionLevel of the CryptoKeyVersion used in decryption.
verifiedCiphertextCrc32c

boolean

Integrity verification field. A flag indicating whether RawDecryptRequest.ciphertext_crc32c was received by KeyManagementService and used for the integrity verification of the ciphertext. A false value of this field indicates either that RawDecryptRequest.ciphertext_crc32c was left unset or that it was not delivered to KeyManagementService. If you've set RawDecryptRequest.ciphertext_crc32c but this field is still false, discard the response and perform a limited number of retries.
verifiedAdditionalAuthenticatedDataCrc32c

boolean

Integrity verification field. A flag indicating whether RawDecryptRequest.additional_authenticated_data_crc32c was received by KeyManagementService and used for the integrity verification of additionalAuthenticatedData. A false value of this field indicates either that // RawDecryptRequest.additional_authenticated_data_crc32c was left unset or that it was not delivered to KeyManagementService. If you've set RawDecryptRequest.additional_authenticated_data_crc32c but this field is still false, discard the response and perform a limited number of retries.
verifiedInitializationVectorCrc32c

boolean

Integrity verification field. A flag indicating whether RawDecryptRequest.initialization_vector_crc32c was received by KeyManagementService and used for the integrity verification of initializationVector. A false value of this field indicates either that RawDecryptRequest.initialization_vector_crc32c was left unset or that it was not delivered to KeyManagementService. If you've set RawDecryptRequest.initialization_vector_crc32c but this field is still false, discard the response and perform a limited number of retries.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloudkms
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.