Documentation

kes key decrypt

Overview

Decrypt the contents of a data encryption key and return the plaintext value.

Use the plaintext value for encrypting or decrypting data using the DEK.

Avoid storing the plaintext value of a DEK on disk, as it allows decryption of data without requiring access to the secret key used to generate the DEK.

Syntax 

kes key decrypt                 \
        <name>                  \
        <ciphertext>            \
        [<context>]             \
        [--insecure,-k]

Parameters

name

Required

The short identifier for the key to use for the data encryption key.

ciphertext

Required

The encrypted text string to decrypt.

context

Optional

The context value to scope the request for a data encryption key.

You create contexts in the kubeconfig file of a Kubernetes deployment to define a set of cluster, namespace, and user configuration to use.

--insecure, -k

Optional

Directs the command to skip x.509 certificate validation during the TLS handshake with the KES server. This allows connections to KES servers using untrusted certificates (i.e. self-signed or issued by an unknown Certificate Authority).

MinIO strongly recommends against using this option in production environments.

Examples

The following two commands retrieve the ciphertext for a key using the kes key dek command and store the text as a variable. The second command then decrypts the ciphertext using the key my-key.

$ CIPHERTEXT=$(kes key dek my-key | jq -r .ciphertext)
$ kes key decrypt my-key "$CIPHERTEXT"