Decrypting Data Using External Keys
Use the post /v1/cckm/oci/ekm/v1/vaults/{vaultId}/keys/{keyId}/decrypt
API to decrypt the encrypted data (ciphertext) using a specific version of an OCI external key in the external vault.
Specify the version ID (keyVersionId
) of the key as an input parameter.
The input for the decrypt API is the output JSON blob of the
post /v1/cckm/oci/ekm/v1/vaults/{vaultId}/keys/{keyId}/encrypt
API.The decrypt API uses the source key version stored in the metadata during the encrypt operation to decrypt the ciphertext.
The output of the decrypt API contains the base64-encoded plaintext in a JSON blob.
The supported scope value is oci_hyok_decrypt
.
When running the API,
{vaultId}
is the resource ID of the external vault on the CipherTrust Manager.{keyId}
is the resource ID of the external key on the CipherTrust Manager.
Header
Parameter | Type | Description |
---|---|---|
opc-request-id | String | Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service. |
Request Parameters
Tip
Refer to the output of the post /v1/cckm/oci/ekm/v1/vaults/{vaultId}/keys/{keyId}/encrypt
API for correct values of the input parameters. Refer to Encrypting Data Using External Keys for details.
Parameter | Type | Description |
---|---|---|
ciphertext | string | A byte array that appears as a base64 encoded string in the JSON blob. |
iv | string | A byte array that appears as a base64 encoded string in the JSON blob. |
mode | string | Crypto mode used for encryption (for example, CBC , ECB , GCM ). |
pad | string | Padding algorithm, for example, none, pkcs7. |
tag | string | A byte array that appears as a base64 encoded string in the JSON blob. |
aad | string | A byte array that appears as a base64 encoded string in the JSON blob. |
keyVersionId | string | Resource ID of the external key version on the CipherTrust Manager to be used for decryption. |
Example Request
post https://<Host IP Address>/api/v1/cckm/oci/ekm/v1/vaults/{vaultId}/keys/{keyId}/decrypt
<authorization token and other headers>
{
"ciphertext": "RpeAO2op/+bQD3FioKbuVi54yysO79e0SjY=",
"iv": "EYMbIM/MOv5q7Km1",
"mode": "AES_GCM",
"tag": "dk958fIs5D+kRE8rKKqtgA==",
"aad": "fIs5D+kRE8r",
"keyVersionId": "1272f6a0-9377-4e9a-9158-460860716eaf"
}
Example Response
{
"plaintext": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo=",
"keyId": "650e330b-47b1-4d9f-ab72-866b4e10df39",
"keyVersionId": "1272f6a0-9377-4e9a-9158-460860716eaf",
"iv": "EYMbIM/MOv5q7Km1",
"mode": "AES_GCM",
"tag": "dk958fIs5D+kRE8rKKqtgA==",
"aad": "fIs5D+kRE8r"
}
Response Codes
Response Code | Description |
---|---|
200 | Ok |
400 | Bad request |
401 | Unauthorized |
404 | Not found |
403 | Forbidden |
500 | Internal server error |
Refer to HTTP status codes for details.