Decrypts ciphertext into plaintext.

Usage notes

If you call the AdvanceEncrypt, AdvanceGenerateDataKey, Encrypt, or GenerateDataKey operation and use a symmetric key in a Key Management Service (KMS) instance of the software key management type to encrypt data, you can call the AdvanceDecrypt operation to decrypt the encrypted data.

For more information about key specifications and encryption modes, see Key types and specifications.

Usage notes

Note

Request parameters

Parameter	Type	Required	Example	Description
CiphertextBlob	bytes	Yes	Binary data	The ciphertext that you want to decrypt.
KeyId	string	No	key-hzz62f1cb66fa42qo****	The globally unique ID of the key. You can set this parameter to an alias that is bound to the key. This parameter is required only when you decrypt the ciphertext that is generated by calling the Encrypt or GenerateDataKey operation.
Algorithm	string	No	AES_GCM	The decryption algorithm. This parameter is required only when you decrypt the ciphertext that is generated by calling the Encrypt or GenerateDataKey operation. Important The value must be the same as the algorithm that is used during encryption.
Iv	bytes	No	Binary data	The initial vector. This parameter is required only when you decrypt the ciphertext that is generated by calling the Encrypt or GenerateDataKey operation and set Algorithm to AES_GCM or AES_CBC. If Algorithm is set to AES_CBC, the value of Iv must be 16 bytes in length. If Algorithm is set to AES_GCM, the value of Iv must be 12 bytes in length. Important The value must be the same as the initial vector that is used during encryption.
Aad	bytes	No	Binary data	The authentication data. The value can be up to 8,192 bytes in length. This parameter is required only when Algorithm is set to AES_GCM and Aad is specified during data encryption. Important The value must be the same as the authentication data that is used during encryption.
PaddingMode	string	No	PKCS7_PADDING	The padding mode. This parameter is required only when you set the encryption algorithm to AES_CBC or AES_ECB. Important The value must be the same as the padding mode that is used during encryption. Valid values: PKCS7_PADDING: PKCS#7 padding is used. This is the default value. The length of the plaintext may not be an integer multiple of the cipher block size in bytes. If the input plaintext is L bytes in length, the system adds a padding string of K - (L mod K) bytes. Each padding string is K - (L mod K) bytes in length. NO_PADDING: Padding strings are not added to plaintext. The length of the plaintext must be an integer multiple of the cipher block size in bytes.

Response parameters

Parameter	Type	Example	Description
Plaintext	bytes	Binary data	The plaintext.
KeyId	string	key-hzz62f1cb66fa42qo****	The globally unique ID of the key. If you set KeyId in the request to an alias of the key, the ID of the key to which the alias is bound is returned.
KeyVersionId	string	key-hzz62f1cb66fa42qo**-17kedv**	The ID of the key version that is used to decrypt the ciphertext.
Algorithm	string	AES_GCM	The decryption algorithm.
PaddingMode	string	PKCS7_PADDING	The padding mode. A valid value is returned only when you set the encryption algorithm (Algorithm) to AES_CBC or AES_ECB. In other cases, an empty value is returned.
RequestId	string	c0037a6d-7784-4ef2-a692-288fdcbc7b9d	The ID of the request, which is used to locate and troubleshoot issues.

Error codes

HTTP status code

Error code

Error message

Description

404

Forbidden.OnlySymmetricKeySupported

The key %s is not a symmetric key. The API only supports symmetric keys.

Only symmetric keys are supported.

500

InternalFailure

Internal Failure.

Possible causes:

The ciphertext does not meet the requirements.
For example, the ciphertext is obtained not by calling the AdvanceEncrypt operation.
The key specified by the request parameters is not the key that is used for encryption.

If the preceding issues are excluded, submit a ticket to contact technical support.

For a list of error codes, see Service error codes.