Decrypts ciphertext.
Usage notes
After you call the Encrypt or GenerateDataKey operation to generate ciphertext, you can call the Decrypt operation to decrypt the ciphertext.
The following table describes encryption algorithms and padding modes for different types of keys.
Key specifications | Encryption algorithm | Padding mode | Description |
| AES_GCM (default value) | N/A | The Galois/Counter Mode (GCM) mode is used. |
AES_CBC |
| The cipher block chaining (CBC) mode is used. The padding mode can be configured. Note Only KMS instances of the hardware key management type support this encryption algorithm. | |
AES_ECB | The electronic codebook (ECB) mode is used. The padding mode can be configured. Note Only KMS instances of the hardware key management type support this encryption algorithm. | ||
| RSAES_OAEP_SHA_256 (default value) | N/A | RSAES-OAEP using SHA-256 and MGF1 with SHA-256 |
| ECIES_DH_SHA_1_XOR_HMAC (default value) | N/A | Follow the following SEC 1: Elliptic Curve Cryptography, Version 2.0 standards:
|
Request message definition
message DecryptRequest {
bytes CiphertextBlob = 1;
string KeyId = 2;
string Algorithm = 3;
bytes Aad = 4;
bytes Iv = 5;
string PaddingMode = 6;
}
Request parameters
Parameter | Type | Required | Example | Description |
KeyId | string | Yes | key-hzz62f1cb66fa42qo**** | The globally unique ID of the key. You can set the value to an alias that is bound to the key. |
Algorithm | string | No | AES_GCM | The decryption algorithm. For more information about the valid values and default values, see the Encryption algorithm column in the table in the Usage notes section of this topic. Important The algorithm must be the same as the algorithm used for encryption. |
Iv | bytes | No | Binary data | The initial vector that is used to encrypt data. This parameter is required only when Algorithm is set to AES_GCM, AES_CBC, or SM4_GCM. Important The initial vector must be the same as the initial vector that is used for data encryption. |
CiphertextBlob | bytes | Yes | Binary data | The ciphertext that you want to decrypt. Note When the Elliptic Curve Integrated Encryption Scheme (ECIES) algorithm is used, the ciphertext format follows the SEC 1: Elliptic Curve Cryptography, Version 2.0 standards. |
Aad | bytes | No | Binary data | The authentication data. The value can be up to 8,192 bytes in length. This parameter is required only when Algorithm is set to AES_GCM or SM4_GCM and Aad is specified during data encryption. Important The value must be the same as that for data encryption. |
PaddingMode | string | No | PKCS7_PADDING | The padding mode. This parameter is required only when Algorithm is set to AES_CBC or AES_ECB. For more information, see the Padding mode column in the table in the Usage notes section of this topic. Important The value must be the same as that for data encryption. Valid values:
|
Response message definition
message DecryptResponse {
string KeyId = 1;
bytes Plaintext = 2;
string RequestId = 3;
string Algorithm = 4;
string PaddingMode = 5;
}
Response parameters
Parameter | Type | Example | Description |
Plaintext | bytes | Binary data | The plaintext. |
KeyId | string | key-hzz62f1cb66fa42qo**** | The globally unique ID of the key. If you set KeyId to an alias of the key, the ID of the key to which the alias is bound is returned. |
Algorithm | string | AES_GCM | The decryption algorithm. |
PaddingMode | string | PKCS7_PADDING | The padding mode. |
RequestId | string | 475f1620-b9d3-4d35-b5c6-3fbdd941423d | The ID of the request, which is used to locate and troubleshoot issues. |
Error codes
For more information about error codes, see Common error codes.