C"SrSSKJr SSKJr SSKJr SSKJr SSKJ r SSK J r SSK Jr SSK J r SSK Jr SS K Jr SS KJr SS KJr SS KJr "S S\ R,5rg)z&Decrypt a ciphertext file using a key.)absolute_import)division)unicode_literals) exceptions)base)crc32c) e2e_integrity)flags)log) console_io)filescF\rSrSrSr\S5rSrSrSr Sr Sr S r g ) Decrypt!aFDecrypt a ciphertext file using a Cloud KMS key. `{command}` decrypts the given ciphertext file using the given Cloud KMS key and writes the result to the named plaintext file. Note that to permit users to decrypt using a key, they must be have at least one of the following IAM roles for that key: `roles/cloudkms.cryptoKeyDecrypter`, `roles/cloudkms.cryptoKeyEncrypterDecrypter`. Additional authenticated data (AAD) is used as an additional check by Cloud KMS to authenticate a decryption request. If an additional authenticated data file is provided, its contents must match the additional authenticated data provided during encryption and must not be larger than 64KiB. If you don't provide a value for `--additional-authenticated-data-file`, an empty string is used. For a thorough explanation of AAD, refer to this guide: https://cloud.google.com/kms/docs/additional-authenticated-data If `--ciphertext-file` or `--additional-authenticated-data-file` is set to '-', that file is read from stdin. Note that both files cannot be read from stdin. Similarly, if `--plaintext-file` is set to '-', the decrypted plaintext is written to stdout. By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use `--skip-integrity-verification` to disable integrity verification. ## EXAMPLES To decrypt the file 'path/to/ciphertext' using the key `frodo` with key ring `fellowship` and location `global` and write the plaintext to 'path/to/plaintext.dec', run: $ {command} \ --key=frodo \ --keyring=fellowship \ --location=global \ --ciphertext-file=path/to/input/ciphertext \ --plaintext-file=path/to/output/plaintext.dec To decrypt the file 'path/to/ciphertext' using the key `frodo` and the additional authenticated data that was used to encrypt the ciphertext, and write the decrypted plaintext to stdout, run: $ {command} \ --key=frodo \ --keyring=fellowship \ --location=global \ --additional-authenticated-data-file=path/to/aad \ --ciphertext-file=path/to/input/ciphertext \ --plaintext-file='-' c[R"US5 [R"US5 [R"US5 [R"U5 [R "U5 g)NaCloud KMS key to use for decryption. * For symmetric keys, Cloud KMS detects the decryption key version from the ciphertext. If you specify a key version as part of a symmetric decryption request, an error is logged and decryption fails. * For asymmetric keys, the encryption key version can't be detected automatically. You must keep track of this information and provide the key version in the decryption request. The key version itself is not sensitive data and does not need to be encrypted.z^to decrypt. This file should contain the result of encrypting a file with `gcloud kms encrypt`z to output)r AddKeyResourceFlagsAddCiphertextFileFlagAddPlaintextFileFlagAddAadFileFlagAddSkipIntegrityVerification)parsers lib/surface/kms/decrypt.pyArgs Decrypt.ArgsUs` C D +, v{3   &&v.c[R"USS9n[U5U:a%[R"SR X55eU$)NT)binaryzPj#22&),,6 38c J$223Bc J[ ;;(  ' ' 5 < <""A ' ((([[A)) J VD;;Q ?A AAs/F'GG'0GGH(30H##H(c[R"URUR5(d)[R "[R "55eg)z&Verifies integrity fields in response.N)r Crc32cMatches plaintextplaintextCrc32cr $ClientSideIntegrityVerificationError*GetResponseFromServerCorruptedErrorMessage)r"rEresps r_VerifyResponseIntegrityFields&Decrypt._VerifyResponseIntegrityFieldssH   0D0D E E  > >  B B D FF FrcURU5n[R"5nURR U5nURU5(aURUW5 WRcA[R"UR5 SSS5 [R "S5 g[R""URURSSS9 g![ R a n[R"U5 SnANSnAff=f!,(df  N=f![R$an[&R("U5eSnAff=f)NzDecrypted file is emptyT)r overwrite)rHr:GetClientInstance&projects_locations_keyRings_cryptoKeysrapitools_exceptionsHttpBadRequestErrorr ProcessHttpBadRequestErrorr+rQrLr FileWriterplaintext_filer PrintWriteToFileOrStdoutr7rr )r"r*rEclientrPerrorrAs rRun Decrypt.Runs  $ $T *C  , , .F6  : : B B3 Gd  ))$// ))#t4 +     d11 2 3 +,     N  2 26..u5563 2 ;;+  ' ' **+sMC&,-D.DD.:+D.&D:DD D+'D..EEEN) __name__ __module__ __qualname____firstlineno____doc__ staticmethodrr&r+rHrQr`__static_attributes__rbrrrr!s71f//$0;zF+rrN)rg __future__rrrapitools.base.pyrrWgooglecloudsdk.api_lib.cloudkmsrr:googlecloudsdk.calliopegooglecloudsdk.command_lib.kmsrr r googlecloudsdk.corer googlecloudsdk.core.consoler googlecloudsdk.core.utilr CommandrrbrrrssC-&'>A(.180#2*n+dlln+r