# DecryptData
Decrypts ciphertext data to plaintext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see [Decrypt data](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/decrypt-data.html) in the * AWS Payment Cryptography User Guide*.
You can use an decryption key generated within AWS Payment Cryptography, or you can import your own decryption key by calling [ImportKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html). For this operation, the key must have `KeyModesOfUse` set to `Decrypt`. In asymmetric decryption, AWS Payment Cryptography decrypts the ciphertext using the private component of the asymmetric encryption key pair. For data encryption outside of AWS Payment Cryptography, you can export the public component of the asymmetric key pair by calling [GetPublicCertificate](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html).
This operation also supports dynamic keys, allowing you to pass a dynamic decryption key as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into AWS Payment Cryptography. To decrypt using dynamic keys, the `keyARN` is the Key Encryption Key (KEK) of the TR-31 wrapped decryption key material. The incoming wrapped key shall have a key purpose of D0 with a mode of use of B or D. For more information, see [Using Dynamic Keys](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html) in the * AWS Payment Cryptography User Guide*.
For symmetric and DUKPT decryption, AWS Payment Cryptography supports `TDES` and `AES` algorithms. For EMV decryption, AWS Payment Cryptography supports `TDES` algorithms. For asymmetric decryption, AWS Payment Cryptography supports `RSA`.
When you use TDES or TDES DUKPT, the ciphertext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the ciphertext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.
For information about valid keys for this operation, see [Understanding key attributes](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html) and [Key types for specific data operations](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html) in the * AWS Payment Cryptography User Guide*.
**Cross-account use**: This operation can't be used across different AWS accounts.
**Related operations:**
+ [EncryptData](API_EncryptData.md)
+ [GetPublicCertificate](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html)
+ [ImportKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html)
## Request Syntax
```
POST /keys/KeyIdentifier/decrypt HTTP/1.1
Content-type: application/json
{
"CipherText": "string",
"DecryptionAttributes": { ... },
"WrappedKey": {
"KeyCheckValueAlgorithm": "string",
"WrappedKeyMaterial": { ... }
}
}
```
## URI Request Parameters
The request uses the following URI parameters.
** [KeyIdentifier](#API_DecryptData_RequestSyntax) **
The `keyARN` of the encryption key that AWS Payment Cryptography uses for ciphertext decryption.
When a WrappedKeyBlock is provided, this value will be the identifier to the key wrapping key. Otherwise, it is the key identifier used to perform the operation.
Length Constraints: Minimum length of 7. Maximum length of 322.
Pattern: `arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+`
Required: Yes
## Request Body
The request accepts the following data in JSON format.
** [CipherText](#API_DecryptData_RequestSyntax) **
The ciphertext to decrypt.
Type: String
Length Constraints: Minimum length of 2. Maximum length of 4224.
Pattern: `(?:[0-9a-fA-F][0-9a-fA-F])+`
Required: Yes
** [DecryptionAttributes](#API_DecryptData_RequestSyntax) **
The encryption key type and attributes for ciphertext decryption.
Type: [EncryptionDecryptionAttributes](API_EncryptionDecryptionAttributes.md) object
**Note: **This object is a Union. Only one member of this object can be specified or returned.
Required: Yes
** [WrappedKey](#API_DecryptData_RequestSyntax) **
The WrappedKeyBlock containing the encryption key for ciphertext decryption.
Type: [WrappedKey](API_WrappedKey.md) object
Required: No
## Response Syntax
```
HTTP/1.1 200
Content-type: application/json
{
"KeyArn": "string",
"KeyCheckValue": "string",
"PlainText": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [KeyArn](#API_DecryptData_ResponseSyntax) **
The `keyARN` of the encryption key that AWS Payment Cryptography uses for ciphertext decryption.
Type: String
Length Constraints: Minimum length of 70. Maximum length of 150.
Pattern: `arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}`
** [KeyCheckValue](#API_DecryptData_ResponseSyntax) **
The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.
AWS Payment Cryptography computes the KCV according to the CMAC specification.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 16.
Pattern: `[0-9a-fA-F]+`
** [PlainText](#API_DecryptData_ResponseSyntax) **
The decrypted plaintext data in hexBinary format.
Type: String
Length Constraints: Minimum length of 2. Maximum length of 4224.
Pattern: `(?:[0-9a-fA-F][0-9a-fA-F])+`
## Errors
** AccessDeniedException **
You do not have sufficient access to perform this action.
HTTP Status Code: 403
** InternalServerException **
The request processing has failed because of an unknown error, exception, or failure.
HTTP Status Code: 500
** ResourceNotFoundException **
The request was denied due to an invalid resource error.
** ResourceId **
The resource that is missing.
HTTP Status Code: 404
** ThrottlingException **
The request was denied due to request throttling.
HTTP Status Code: 429
** ValidationException **
The request was denied due to an invalid request error.
** fieldList **
The request was denied due to an invalid request error.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/payment-cryptography-data-2022-02-03/DecryptData)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/payment-cryptography-data-2022-02-03/DecryptData)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/payment-cryptography-data-2022-02-03/DecryptData)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/payment-cryptography-data-2022-02-03/DecryptData)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/payment-cryptography-data-2022-02-03/DecryptData)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/payment-cryptography-data-2022-02-03/DecryptData)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/payment-cryptography-data-2022-02-03/DecryptData)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/payment-cryptography-data-2022-02-03/DecryptData)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/payment-cryptography-data-2022-02-03/DecryptData)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/payment-cryptography-data-2022-02-03/DecryptData)