Decrypt

Prev Next

Available in Classic and VPC

Decrypt the ciphertext encrypted with a key. It can only be requested as an AES256 or RSA2048 key type.

Caution

The data encrypted with the master key and returned consists of KMS prefix + ciphertext. The KMS prefix is composed of ncpkms:version information, and it must be specified exactly with the ciphertext because it will be decrypted with the key version specified in the decryption request. If the KMS prefix is incorrect, it will not be decrypted correctly, so be sure to manage the encryption in the form it is returned, with no arbitrary removals or manipulations.

ncpkms:v1:XjsPWPjqPrBi1N2DupSiSbX/ATkGmKA
---------- -------------------------------
KMS prefix        ciphertext

Request

This section describes the request format. The method and URI are as follows:

Method URI
POST /keys/{keyTag}/decrypt

Request headers

For information about the headers common to all Key Management Service APIs, see the token authentication method in Key Management Service request headers.

Request path parameters

You can use the following path parameters with your request:

Field Type Required Description
keyTag String Required Key tag
  • Unique identifier for the key derived from the key name
  • Check through Get key list
  • Use to request encryption or decryption with REST APIs
  • Key tags are not treated as confidential information

Request body

You can include the following data in the body of your request:

Field Type Required Description
ciphertext String or Array<String> Required String created by encrypting a plaintext
context String Conditional Base64-encoded string data
  • Required to enter the value of the context parameter used when encrypting data with a key that has convergent encryption applied

Request example

The request example is as follows:

  • Request ciphertext as String type
curl --location --request POST 'https://ocapi.ncloud.com/kms/v1/keys/a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6/decrypt' \
--header 'x-ncp-ocapi-token: {Access Token}' \
--data '{
  "ciphertext": "{CIPHERTEXT}",
  "context": "{BASE64_CONTEXT}"
}'
  • Request ciphertext as Array<String> type
curl --location --request POST 'https://ocapi.ncloud.com/kms/v1/keys/a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6/decrypt' \
--header 'x-ncp-ocapi-token: {Access Token}' \
--data '{
  "ciphertext": ["{CIPHERTEXT_1}", "{CIPHERTEXT_2}", "{CIPHERTEXT_3}"],
  "context": "{BASE64_CONTEXT}"
}'

Response

This section describes the response format.

Response body

The response body includes the following data:

Field Type Required Description
code String - Success or Failure
data Object - Response result
data.plaintext String or Array<String> - Decrypted string data
  • Base64-encoded string data before encryption

Response status codes

For response status codes common to all Key Management Service APIs, see Key Management Service response status codes.

Response example

The response example is as follows:

  • Request ciphertext as String type
{
    "code": "SUCCESS",
    "data": {
        "plaintext": "{BASE64_PLAINTEXT}"
    }
}
  • Request ciphertext as Array<String> type
{
    "code": "SUCCESS",
    "data": {
        "plaintext": [
            "{BASE64_PLAINTEXT_1}",
            "{BASE64_PLAINTEXT_2}",
            "{BASE64_PLAINTEXT_3}"
        ]
    }
}