minkms decrypt

Decrypt an encrypted message containing the key’s version as prefix followed by the ciphertext.

This command is used to recover the plaintext data key from a stored ciphertext. Applications typically store only the ciphertext data key and use this command to retrieve the plaintext when needed for cryptographic operations.

The following settings determine which remote Key Manager server the command runs against in order of priority:

The MINIO_KMS_SERVER environment variable.
The default value of https://localhost:7373.

SYNTAX

minkms decrypt          \
  NAME                  \
  DATA                  \
  [-a | --api-key KEY]  \
  [-e | --enclave NAME] \
  [--json]              \
  [-k | --insecure]

PARAMETERS

`NAME`

Required

The name of the key to use for decryption.

`DATA`

Required

The encrypted data to decrypt. The ciphertext must include the version prefix in the format: v<VERSION>:<BASE64_ENCODED_CIPHERTEXT>

`--api-key`

Optional

Alias: -a

The API key of an identity the command uses to authenticate to the Key Manager cluster. Defaults to the value of MINIO_KMS_API_KEY.

`--enclave`

Optional

Alias: -e

Specify the enclave where the key to use for decryption can be found.

`--json`

Optional

Print output in JSON format. Otherwise, print plaintext if it’s valid UTF-8 text, or base64-encoded if it’s binary data.

`--insecure`

Optional

Alias: -k

Skip server certificate verification.