Linux command
gcloud-kms-decrypt 命令
网络
复制后可按需替换文件名、目录或参数。
常用示例
Decrypt file
gcloud kms decrypt --ciphertext-file=[encrypted.enc] --plaintext-file=[decrypted.txt] --key=[key] --keyring=[keyring] --location=[global]
Decrypt from stdin
cat [encrypted.enc] | gcloud kms decrypt --ciphertext-file=- --plaintext-file=[output.txt] --key=[key] --keyring=[keyring] --location=[global]
Decrypt to stdout
gcloud kms decrypt --ciphertext-file=[encrypted.enc] --plaintext-file=- --key=[key] --keyring=[keyring] --location=[global]
说明
gcloud kms decrypt uses Cloud Key Management Service to decrypt data that was previously encrypted with a Cloud KMS key. KMS provides centralized cryptographic key management, separating key storage and access control from the applications that use them. The decryption operation requires specifying the exact key, keyring, and location used during encryption. Access to decrypt is controlled by IAM permissions on the key, allowing fine-grained control over who can decrypt sensitive data. This enables secure secrets management where encrypted data can be stored in version control or configuration files while keys remain secured in KMS. The command supports reading from files or stdin and writing to files or stdout, enabling integration into pipelines and scripts. Cloud KMS is commonly used for envelope encryption, where data encryption keys are themselves encrypted by KMS keys, providing an additional security layer. This is the standard pattern for encrypting application secrets, database credentials, and other sensitive configuration data in Google Cloud environments.
参数
- --ciphertext-file _FILE_
- Encrypted input file.
- --plaintext-file _FILE_
- Decrypted output file.
- --key _KEY_
- Crypto key name.
- --keyring _KEYRING_
- Key ring name.
- --location _LOCATION_
- Key location.
- --help
- Display help information.
FAQ
What is the gcloud-kms-decrypt command used for?
gcloud kms decrypt uses Cloud Key Management Service to decrypt data that was previously encrypted with a Cloud KMS key. KMS provides centralized cryptographic key management, separating key storage and access control from the applications that use them. The decryption operation requires specifying the exact key, keyring, and location used during encryption. Access to decrypt is controlled by IAM permissions on the key, allowing fine-grained control over who can decrypt sensitive data. This enables secure secrets management where encrypted data can be stored in version control or configuration files while keys remain secured in KMS. The command supports reading from files or stdin and writing to files or stdout, enabling integration into pipelines and scripts. Cloud KMS is commonly used for envelope encryption, where data encryption keys are themselves encrypted by KMS keys, providing an additional security layer. This is the standard pattern for encrypting application secrets, database credentials, and other sensitive configuration data in Google Cloud environments.
How do I run a basic gcloud-kms-decrypt example?
Run `gcloud kms decrypt --ciphertext-file=[encrypted.enc] --plaintext-file=[decrypted.txt] --key=[key] --keyring=[keyring] --location=[global]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does --ciphertext-file _FILE_ do in gcloud-kms-decrypt?
Encrypted input file.