MENU
      Decrypt
        • PDF

        Decrypt

        • PDF

        Article summary

        Available in Classic and VPC

        Decrypt the ciphertext encrypted with a key. It can only be requested as an AES256 or RSA2048 key type.

        Caution

        The data encrypted with the master key and returned consists of KMS prefix + ciphertext. The KMS prefix is composed of ncpkms:version information, and it must be specified exactly with the ciphertext because it will be decrypted with the key version specified in the decryption request. If the KMS prefix is incorrect, it will not be decrypted correctly, so be sure to manage the encryption in the form it is returned, with no arbitrary removals or manipulations.

        ncpkms:v1:XjsPWPjqPrBi1N2DupSiSbX/ATkGmKA
        ---------- -------------------------------
        KMS prefix        ciphertext
        Plain text

        Request

        This section describes the request format. The method and URI are as follows:

        MethodURI
        POST
        • API Gateway request signature v1: /keys/v1/{keyTag}/decrypt
        • API Gateway request signature v2: /keys/v2/{keyTag}/decrypt

        Request headers

        For information about the headers common to all Key Management Service APIs, see Key Management Service request headers.

        Request path parameters

        You can use the following path parameters with your request:

        FieldTypeRequiredDescription
        keyTagStringRequiredKey tag
        • Unique identifier for the key derived from the key name
        • Check through Get key list
        • Use to request encryption or decryption with REST APIs
        • Key tags are not treated as confidential information

        Request body

        You can include the following data in the body of your request:

        FieldTypeRequiredDescription
        ciphertextString or Array<String>RequiredString data created by encrypting a plaintext
        contextStringConditionalBase64-encoded string data
        • Required to enter the value of the context parameter used when encrypting data with a key that has convergent encryption applied

        Request example

        The request example is as follows:

        • Request API Gateway request signature v1 and ciphertext as String type
        curl --location --request POST 'https://kms.apigw.ntruss.com/keys/v1/a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6/decrypt' \
        --header 'x-ncp-apigw-timestamp: {Timestamp}' \
        --header 'x-ncp-apigw-api-key: {API Gateway API Key}' \
        --header 'x-ncp-iam-access-key: {Sub Account Access Key}' \
        --header 'x-ncp-apigw-signature-v1: {API Gateway Signature}' \
        --data '{
          "ciphertext": "{CIPHERTEXT}",
          "context": "{BASE64_CONTEXT}"
        }'
        Shell
        • Request API Gateway request signature v and ciphertext as Array<String> type
        curl --location --request POST 'https://kms.apigw.ntruss.com/keys/v2/a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6/decrypt' \
        --header 'x-ncp-apigw-timestamp: {Timestamp}' \
        --header 'x-ncp-iam-access-key: {Sub Account Access Key}' \
        --header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
        --data '{
          "ciphertext": ["{CIPHERTEXT_1}", "{CIPHERTEXT_2}", "{CIPHERTEXT_3}"],
          "context": "{BASE64_CONTEXT}"
        }'
        Shell

        Response

        This section describes the response format.

        Response body

        The response body includes the following data:

        FieldTypeRequiredDescription
        codeString-Success or Failure
        msgString-Description of the response code (code)
      • Display an empty value ("") on request success (SUCCESS)
      • dataObject-Response result
        data.plaintextString or Array<String>-Decrypted string data
        • Base64-encoded string data before encryption

        Response status codes

        For response status codes common to all Key Management Service APIs, see Key Management Service response status codes.

        Response example

        The response example is as follows:

        • Request ciphertext as String type
        {
            "code": "SUCCESS",
            "msg": "",
            "data": {
                "plaintext": "{BASE64_PLAINTEXT}"
            }
        }
        JSON
        • Request ciphertext as Array<String> type
        {
            "code": "SUCCESS",
            "msg": "",
            "data": {
                "plaintext": [
                    "{BASE64_PLAINTEXT_1}",
                    "{BASE64_PLAINTEXT_2}",
                    "{BASE64_PLAINTEXT_3}"
                ]
            }
        }
        JSON

        Was this article helpful?

        Changing your password will log you out immediately. Use the new password to log back in.
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.