# Use `Decrypt` with an AWS SDK or CLI
The following code examples show how to use `Decrypt`.
Action examples are code excerpts from larger programs and must be run in context. You can see this action in context in the following code example:
+ [Learn the basics](example_kms_Scenario_Basics_section.md)
------
#### [ CLI ]
**AWS CLI**
**Example 1: To decrypt an encrypted message with a symmetric KMS key (Linux and macOS)**
The following `decrypt` command example demonstrates the recommended way to decrypt data with the AWS CLI. This version shows how to decrypt data under a symmetric KMS key.
Provide the ciphertext in a file.In the value of the `--ciphertext-blob` parameter, use the `fileb://` prefix, which tells the CLI to read the data from a binary file. If the file is not in the current directory, type the full path to file. For more information about reading AWS CLI parameter values from a file, see Loading AWS CLI parameters from a file in the *AWS Command Line Interface User Guide* and Best Practices for Local File Parameters in the *AWS Command Line Tool Blog*.Specify the KMS key to decrypt the ciphertext.The `--key-id` parameter is not required when decrypting with a symmetric KMS key. AWS KMS can get the key ID of the KMS key that was used to encrypt the data from the metadata in the ciphertext. But it's always a best practice to specify the KMS key you are using. This practice ensures that you use the KMS key that you intend, and prevents you from inadvertently decrypting a ciphertext using a KMS key you do not trust.Request the plaintext output as a text value.The `--query` parameter tells the CLI to get only the value of the `Plaintext` field from the output. The `--output` parameter returns the output as text.Base64-decode the plaintext and save it in a file.The following example pipes (\$1) the value of the `Plaintext` parameter to the Base64 utility, which decodes it. Then, it redirects (>) the decoded output to the `ExamplePlaintext` file.
Before running this command, replace the example key ID with a valid key ID from your AWS account.
```
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--output text \
--query Plaintext | base64 \
--decode > ExamplePlaintextFile
```
This command produces no output. The output from the `decrypt` command is base64-decoded and saved in a file.
For more information, see [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) in the *AWS Key Management Service API Reference*.
**Example 2: To decrypt an encrypted message with a symmetric KMS key (Windows command prompt)**
The following example is the same as the previous one except that it uses the `certutil` utility to Base64-decode the plaintext data. This procedure requires two commands, as shown in the following examples.
Before running this command, replace the example key ID with a valid key ID from your AWS account.
```
aws kms decrypt ^
--ciphertext-blob fileb://ExampleEncryptedFile ^
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab ^
--output text ^
--query Plaintext > ExamplePlaintextFile.base64
```
Run the `certutil` command.
```
certutil -decode ExamplePlaintextFile.base64 ExamplePlaintextFile
```
Output:
```
Input Length = 18
Output Length = 12
CertUtil: -decode command completed successfully.
```
For more information, see [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) in the *AWS Key Management Service API Reference*.
**Example 3: To decrypt an encrypted message with an asymmetric KMS key (Linux and macOS)**
The following `decrypt` command example shows how to decrypt data encrypted under an RSA asymmetric KMS key.
When using an asymmetric KMS key, the `encryption-algorithm` parameter, which specifies the algorithm used to encrypt the plaintext, is required.
Before running this command, replace the example key ID with a valid key ID from your AWS account.
```
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--key-id 0987dcba-09fe-87dc-65ba-ab0987654321 \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--output text \
--query Plaintext | base64 \
--decode > ExamplePlaintextFile
```
This command produces no output. The output from the `decrypt` command is base64-decoded and saved in a file.
For more information, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*.
+ For API details, see [Decrypt](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/decrypt.html) in *AWS CLI Command Reference*.
------
#### [ Java ]
**SDK for Java 2.x**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples).
```
/**
* Asynchronously decrypts the given encrypted data using the specified key ID.
*
* @param encryptedData The encrypted data to be decrypted.
* @param keyId The ID of the key to be used for decryption.
* @return A CompletableFuture that, when completed, will contain the decrypted data as a String.
* If an error occurs during the decryption process, the CompletableFuture will complete
* exceptionally with the error, and the method will return an empty String.
*/
public CompletableFuture decryptDataAsync(SdkBytes encryptedData, String keyId) {
DecryptRequest decryptRequest = DecryptRequest.builder()
.ciphertextBlob(encryptedData)
.keyId(keyId)
.build();
CompletableFuture responseFuture = getAsyncClient().decrypt(decryptRequest);
responseFuture.whenComplete((decryptResponse, exception) -> {
if (exception == null) {
logger.info("Data decrypted successfully for key ID: " + keyId);
} else {
if (exception instanceof KmsException kmsEx) {
throw new RuntimeException("KMS error occurred while decrypting data: " + kmsEx.getMessage(), kmsEx);
} else {
throw new RuntimeException("An unexpected error occurred while decrypting data: " + exception.getMessage(), exception);
}
}
});
return responseFuture.thenApply(decryptResponse -> decryptResponse.plaintext().asString(StandardCharsets.UTF_8));
}
```
+ For API details, see [Decrypt](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Decrypt) in *AWS SDK for Java 2.x API Reference*.
------
#### [ Kotlin ]
**SDK for Kotlin**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun encryptData(keyIdValue: String): ByteArray? {
val text = "This is the text to encrypt by using the AWS KMS Service"
val myBytes: ByteArray = text.toByteArray()
val encryptRequest =
EncryptRequest {
keyId = keyIdValue
plaintext = myBytes
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
val response = kmsClient.encrypt(encryptRequest)
val algorithm: String = response.encryptionAlgorithm.toString()
println("The encryption algorithm is $algorithm")
// Return the encrypted data.
return response.ciphertextBlob
}
}
suspend fun decryptData(
encryptedDataVal: ByteArray?,
keyIdVal: String?,
) {
val decryptRequest =
DecryptRequest {
ciphertextBlob = encryptedDataVal
keyId = keyIdVal
}
KmsClient { region = "us-west-2" }.use { kmsClient ->
val decryptResponse = kmsClient.decrypt(decryptRequest)
val myVal = decryptResponse.plaintext
// Print the decrypted data.
print(myVal)
}
}
```
+ For API details, see [Decrypt](https://sdk.amazonaws.com/kotlin/api/latest/index.html) in *AWS SDK for Kotlin API reference*.
------
#### [ PHP ]
**SDK for PHP**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @param string $ciphertext
* @param string $algorithm
* @return Result
*/
public function decrypt(string $keyId, string $ciphertext, string $algorithm = "SYMMETRIC_DEFAULT")
{
try{
return $this->client->decrypt([
'CiphertextBlob' => $ciphertext,
'EncryptionAlgorithm' => $algorithm,
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
echo "There was a problem decrypting the data: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
```
+ For API details, see [Decrypt](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Decrypt) in *AWS SDK for PHP API Reference*.
------
#### [ Python ]
**SDK for Python (Boto3)**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyEncrypt:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "KeyEncrypt":
"""
Creates a KeyEncrypt instance with a default KMS client.
:return: An instance of KeyEncrypt initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def decrypt(self, key_id: str, cipher_text: bytes) -> str:
"""
Decrypts text previously encrypted with a key.
:param key_id: The ARN or ID of the key used to decrypt the data.
:param cipher_text: The encrypted text to decrypt.
:return: The decrypted text.
"""
try:
return self.kms_client.decrypt(KeyId=key_id, CiphertextBlob=cipher_text)[
"Plaintext"
].decode()
except ClientError as err:
logger.error(
"Couldn't decrypt your ciphertext. Here's why: %s",
err.response["Error"]["Message"],
)
raise
```
+ For API details, see [Decrypt](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Decrypt) in *AWS SDK for Python (Boto3) API Reference*.
------
#### [ Ruby ]
**SDK for Ruby**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/kms#code-examples).
```
require 'aws-sdk-kms' # v2: require 'aws-sdk'
# Decrypted blob
blob = '01020200785d68faeec386af1057904926253051eb2919d3c16078badf65b808b26dd057c101747cadf3593596e093d4ffbf22434a6d00000068306606092a864886f70d010706a0593057020100305206092a864886f70d010701301e060960864801650304012e3011040c9d629e573683972cdb7d94b30201108025b20b060591b02ca0deb0fbdfc2f86c8bfcb265947739851ad56f3adce91eba87c59691a9a1'
blob_packed = [blob].pack('H*')
client = Aws::KMS::Client.new(region: 'us-west-2')
resp = client.decrypt({
ciphertext_blob: blob_packed
})
puts 'Raw text: '
puts resp.plaintext
```
+ For API details, see [Decrypt](https://docs.aws.amazon.com/goto/SdkForRubyV3/kms-2014-11-01/Decrypt) in *AWS SDK for Ruby API Reference*.
------
#### [ Rust ]
**SDK for Rust**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples).
```
async fn decrypt_key(client: &Client, key: &str, filename: &str) -> Result<(), Error> {
// Open input text file and get contents as a string
// input is a base-64 encoded string, so decode it:
let data = fs::read_to_string(filename)
.map(|input| {
base64::decode(input).expect("Input file does not contain valid base 64 characters.")
})
.map(Blob::new);
let resp = client
.decrypt()
.key_id(key)
.ciphertext_blob(data.unwrap())
.send()
.await?;
let inner = resp.plaintext.unwrap();
let bytes = inner.as_ref();
let s = String::from_utf8(bytes.to_vec()).expect("Could not convert to UTF-8");
println!();
println!("Decoded string:");
println!("{}", s);
Ok(())
}
```
+ For API details, see [Decrypt](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.decrypt) in *AWS SDK for Rust API reference*.
------
#### [ SAP ABAP ]
**SDK for SAP ABAP**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
" iv_ciphertext_blob contains the encrypted data
oo_result = lo_kms->decrypt(
iv_keyid = iv_key_id
iv_ciphertextblob = iv_ciphertext_blob
).
MESSAGE 'Text decrypted successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsdisabledexception.
MESSAGE 'The key is disabled.' TYPE 'E'.
CATCH /aws1/cx_kmsincorrectkeyex.
MESSAGE 'Incorrect key for decryption.' TYPE 'E'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ For API details, see [Decrypt](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*.
------
For a complete list of AWS SDK developer guides and code examples, see [Using this service with an AWS SDK](sdk-general-information-section.md). This topic also includes information about getting started and details about previous SDK versions.