Decrypting Data Using Master Encryption Key

Decrypt data with a master encryption key using either the CLI or the API interface. Note that this operation can't be performed in the OCI Console.

• Console
• CLI
• API

• This task isn't available in the OCI Console.

• Note
  
  You can use either AES symmetric keys or RSA asymmetric keys to encrypt or decrypt data. ECDSA keys don't support vault cryptography required to encrypt or decrypt data. To encrypt data by using an RSA asymmetric key, you must also provide the --key-version-id of the key. To decrypt the data, you must provide the same --key-version-id. The need to track key versions exists because, unlike symmetric keys, an asymmetric key's ciphertext doesn't contain the information that the service needs for decryption purposes.

  Open a command prompt and run oci kms crypto decrypt to decrypt data.

  RSA keys: Note that the --encryption-algorithm parameter must be included in the command for RSA keys. To decrypt data with an RSA key, use the following command:

  oci kms crypto decrypt --key-id <key_OCID> --ciphertext <ciphertext> --endpoint <cryptographic_endpoint> --encryption-algorithm <encryption_algorithm>

  Example: RSA key, encryption algorithm RSA_OAEP_SHA_256

  oci kms crypto decrypt --key-id ocid1.key.oc1.ap-mumbai-1.example123eu6.abrg6ljrn4j3fyhrx4kttej5hj2lxjfzywwuc7353frutrut2i5cw6fshtwa --ciphertext example123nR2ZtkUOobWRHVs4/nbrKElKBuyPdUnNBnOyd1w0F78+Ch31Pb+BrDCiftpx/example123+IaKZzLZOA/vazlz2nlqQIVSHpXL82nbj1wiVhaInoB2NiVGmDJRJwXxOsdllkkmmtdCScCDB3t2KbBniX4zRxyndv+b47hZw/jaRrN/w2X7gFsFi/example123n3zjE+/example123RR56nAbrITj3xc/example123d7RA35AU7W1p+b8P3pfXEn1OTu3HWENNe5SavPGBwkVsfbXv45ht1kTP9gpkDYMN7PhWxJHQqQFIKoVJscV1uvgNT9OLo9xEsfx7MXMnKA7VJrU1S/example1237p5o+RlWoksWfH2s2IyBML5Z5wX8cArTN1zisSluTlJYJMoM3pexaECrT0ObyajL2TmXY93P2AN7vgmO4OzaEwgvk2ImUt/example123B96Vn1kXYUjmSWQYQMmRkyMTRtPq8Bd92QmIvG31erkJ+984DWhtGSJka5zllhmcMLSObYIFw6A/example123qwhX+WxlMxCOPgb0c0g9LrIx7i0cVvwLhZPX1g2EhoB5yv2Gt5WSH40MxvnUPRKElqbj0e8c8aUsrlqazzfceNufRLHrv6l2IVSVTKX6VVgM1AGpJaoUbCTn4= --endpoint https://example123eu6-crypto.kms.ap-mumbai-1.oraclecloud.com --encryption-algorithm RSA_OAEP_SHA_256

  AES keys: To decrypt data with an AES key, use the following command:

  oci kms crypto decrypt --key-id <key_OCID> --ciphertext <ciphertext> --endpoint <cryptographic_endpoint>

  Example: AES key with AES_256_GCM algorithm

  oci kms crypto decrypt --key-id ocid1.key.oc1.ap-mumbai-1.example123eu6.abrg6ljrslqbj6uqmbi5w7ystmdli2tbzlam7wqr3qtznlvghjhmw2macsea --ciphertext example123iYAD9owuLfMJ/QranyQuagBZmBXbeNOcu7HNDtw2fnMOfoAAAAAA== --endpoint https://example123eu6-crypto.kms.ap-mumbai-1.oraclecloud.com  --encryption-algorithm AES_256_GCM

  For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

• Run the Decrypt operation to decrypt data using master encryption key using the KMSCRYPTO endpoint. This endpoint is also referred to as the cryptographic endpoint in the OCI Console.

  Note
  
  

  Encryption and decryption operations require a cryptographic endpoint that's specific to the vault containing the key you are using. You can find this endpoint in the OCI Console on the Vault Details page, under Cryptographic Endpoint. You can also use the GetVault operation to get the cryptographic endpoint (contained in the cryptoEndpoint field).

  For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.