HEX
Server: Apache/2.4.41 (Ubuntu)
System: Linux ip-172-31-42-149 5.15.0-1084-aws #91~20.04.1-Ubuntu SMP Fri May 2 07:00:04 UTC 2025 aarch64
User: ubuntu (1000)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
Upload Files
File: //usr/local/aws-cli/v2/current/current/current/dist/awscli/examples/kms/decrypt.rst
**Example 1: To decrypt an encrypted message with a symmetric KMS key (Linux and macOS)**

The following ``decrypt`` command example demonstrates the recommended way to decrypt data with the AWS CLI. This version shows how to decrypt data under a symmetric KMS key.

* Provide the ciphertext in a file.

    In the value of the ``--ciphertext-blob`` parameter, use the ``fileb://`` prefix, which tells the CLI to read the data from a binary file. If the file is not in the current directory, type the full path to file. For more information about reading AWS CLI parameter values from a file, see `Loading AWS CLI parameters from a file <https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters-file.html>` in the *AWS Command Line Interface User Guide* and `Best Practices for Local File Parameters<https://aws.amazon.com/blogs/developer/best-practices-for-local-file-parameters/>` in the *AWS Command Line Tool Blog*.

* Specify the KMS key to decrypt the ciphertext.

    The ``--key-id`` parameter is not required when decrypting with a symmetric KMS key. AWS KMS can get the key ID of the KMS key that was used to encrypt the data from the metadata in the ciphertext. But it's always a best practice to specify the KMS key you are using. This practice ensures that you use the KMS key that you intend, and prevents you from inadvertently decrypting a ciphertext using a KMS key you do not trust.

* Request the plaintext output as a text value.

    The ``--query`` parameter tells the CLI to get only the value of the ``Plaintext`` field from the output. The ``--output`` parameter returns the output as text. 

* Base64-decode the plaintext and save it in a file.

    The  following example pipes (|) the value of the ``Plaintext`` parameter to the Base64 utility, which decodes it. Then, it redirects (>) the decoded output to the ``ExamplePlaintext`` file. 

Before running this command, replace the example key ID with a valid key ID from your AWS account. ::

    aws kms decrypt \
        --ciphertext-blob fileb://ExampleEncryptedFile \
        --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
        --output text \
        --query Plaintext | base64 \
        --decode > ExamplePlaintextFile

This command produces no output. The output from the ``decrypt`` command is base64-decoded and saved in a file.

For more information, see `Decrypt <https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html>`__ in the *AWS Key Management Service API Reference*.

**Example 2: To decrypt an encrypted message with a symmetric KMS key (Windows command prompt)**

The following example is the same as the previous one except that it uses the ``certutil`` utility to Base64-decode the plaintext data. This procedure requires two commands, as shown in the following examples. 

Before running this command, replace the example key ID with a valid key ID from your AWS account. ::

    aws kms decrypt ^
        --ciphertext-blob fileb://ExampleEncryptedFile ^
        --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ^
        --output text ^
        --query Plaintext > ExamplePlaintextFile.base64

Run the ``certutil`` command. ::

    certutil -decode ExamplePlaintextFile.base64 ExamplePlaintextFile

Output::

    Input Length = 18
    Output Length = 12
    CertUtil: -decode command completed successfully.

For more information, see `Decrypt <https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html>`__ in the *AWS Key Management Service API Reference*.

**Example 3: To decrypt an encrypted message with an asymmetric KMS key (Linux and macOS)**

The following ``decrypt`` command example shows how to decrypt data encrypted under an RSA asymmetric KMS key.

When using an asymmetric KMS key, the ``encryption-algorithm`` parameter, which specifies the algorithm used to encrypt the plaintext, is required.

Before running this command, replace the example key ID with a valid key ID from your AWS account. ::

    aws kms decrypt \
        --ciphertext-blob fileb://ExampleEncryptedFile \
        --key-id 0987dcba-09fe-87dc-65ba-ab0987654321 \
        --encryption-algorithm RSAES_OAEP_SHA_256 \
        --output text \
        --query Plaintext | base64 \
        --decode > ExamplePlaintextFile

This command produces no output. The output from the ``decrypt`` command is base64-decoded and saved in a file.

For more information, see `Asymmetric keys in AWS KMS <https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html>`__ in the *AWS Key Management Service Developer Guide*.