Decrypts ciphertext into plaintext.
Usage notes
After you call the Encrypt or GenerateDataKey operation to generate ciphertext, you can call the Decrypt operation to decrypt the ciphertext.
For more information about key specifications and encryption modes, see Key types and specifications.
Usage notes
Make sure that the request body cannot exceed 3 MB in length after all request parameters are encoded by using Protocol Buffers. If the request body exceeds 3 MB, the server rejects the request and returns an HTTP 413 status code. We recommend that you limit the data size to 6 KB for encryption and decryption by using symmetric keys and 1 KB for encryption and decryption by using asymmetric keys in a single operation. If the data exceeds the limits, we recommend that you use envelope encryption. For more information, see Use envelope encryption.
High amount of data in a single encryption or decryption raises the risk of network failures, prolongs the time required for network transmission, and extends the duration required for KMS to encrypt and decrypt data.
Request parameters
Parameter | Type | Required | Example | Description |
KeyId | string | Yes | key-hzz62f1cb66fa42qo**** | The globally unique ID of the key. You can set the value to an alias that is bound to the key. |
Algorithm | string | No | AES_GCM | The decryption algorithm. Important The algorithm must be the same as the algorithm that is used for encryption. |
Iv | bytes | No | Binary data | The initial vector. This parameter is required only when Algorithm is set to AES_GCM or AES_CBC.
Important The initial vector must be the same as the initial vector that is used for data encryption. |
CiphertextBlob | bytes | Yes | Binary data | The ciphertext that you want to decrypt. Note When the Elliptic Curve Integrated Encryption Scheme (ECIES) algorithm is used, the ciphertext format follows the SEC 1: Elliptic Curve Cryptography, Version 2.0 standards. |
Aad | bytes | No | Binary data | The authentication data. The value can be up to 8,192 bytes in length. This parameter is required only when Algorithm is set to AES_GCM or SM4_GCM and Aad is specified during data encryption. Important The value must be the same as that for data encryption. |
PaddingMode | string | No | PKCS7_PADDING | The padding mode. This parameter is required only when Algorithm is set to AES_CBC or AES_ECB. Important The value must be the same as that for data encryption. Valid values:
|
Response parameters
Parameter | Type | Example | Description |
Plaintext | bytes | Binary data | The plaintext. |
KeyId | string | key-hzz62f1cb66fa42qo**** | The globally unique ID of the key. If you set KeyId to an alias of the key, the ID of the key to which the alias is bound is returned. |
Algorithm | string | AES_GCM | The decryption algorithm. |
PaddingMode | string | PKCS7_PADDING | The padding mode. |
RequestId | string | 475f1620-b9d3-4d35-b5c6-3fbdd941423d | The ID of the request, which is used to locate and troubleshoot issues. |
Error codes
HTTP status code | Error code | Error message | Description |
500 | InternalFailure | Internal Failure. | Possible causes:
If the preceding issues are excluded, submit a ticket to contact technical support. |
For a list of error codes, see Service error codes.