decrypt - decrypt

Reference

Service:: Key Vault

API Version:: 7.4

Decrypts a single block of encrypted data.
The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a single block of data may be decrypted, the size of this block is dependent on the target key and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption without first ensuring the integrity of the ciphertext using an HMAC, for example. See https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.

POST {vaultBaseUrl}/keys/{key-name}/{key-version}/decrypt?api-version=7.4

URI Parameters

Name	In	Required	Type	Description
key-name	path	True	string	The name of the key.
key-version	path	True	string	The version of the key.
vaultBaseUrl	path	True	string	The vault name, for example https://myvault.vault.azure.net.
api-version	query	True	string	Client API version.

Request Body

Name	Required	Type	Description
alg	True	JsonWebKeyEncryptionAlgorithm	algorithm identifier
value	True	string
aad		string	Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms.
iv		string	Cryptographically random, non-repeating initialization vector for symmetric algorithms.
tag		string	The tag to authenticate when performing decryption with an authenticated algorithm.

Responses

Name	Type	Description
200 OK	KeyOperationResult	The decryption result.
Other Status Codes	KeyVaultError	Key Vault error response describing why the operation failed.

Examples

Decrypt example

Sample Request

HTTP

POST https://myvault.vault.azure.net//keys/sdktestkey/4eb68492b5f6421e835d961ad2be3155/decrypt?api-version=7.4

{
  "alg": "RSA-OAEP",
  "value": "sid-4nG3FzRIFWXLXlG-FZo6H1-kzbNX5Exe0_VRqcGLuJWjI9oSofsn-2IagDsQzkpNAXv9V8aoIizelrK_14darhxaAV8OejO7Oh7spjxa7IxMVS3e-cwcLdEHzMbMfM1uFpDyRFqEUASHI0H8F1M2m1e9TUSXOVW3KMqm7cK94ZQMFvd4AYdLfmfnStMp_MqIQh4kpIkB6h2b1M3possVrLKH_l2L3uT-qFiwQlH9-dt0Cje5mrkpsYCy4hAXNFUPhIyBWAZwOQylIE2sPuopFs55lRIHpWP2CqNe-IK8tX87BRuJ_Vy3GIFxDjD5uu74scIyQCKMImB6xQ_-mQ"
}

Sample Response

Status code:: 200

{
  "kid": "https://myvault.vault.azure.net/keys/sdktestkey/4eb68492b5f6421e835d961ad2be3155",
  "value": "dvDmrSBpjRjtYg"
}

Definitions

Name	Description
Error	The key vault server error.
JsonWebKeyEncryptionAlgorithm	algorithm identifier
KeyOperationResult	The key operation result.
KeyOperationsParameters	The key operations parameters.
KeyVaultError	The key vault error exception.

Error

The key vault server error.

Name	Type	Description
code	string	The error code.
innererror	Error	The key vault server error.
message	string	The error message.

JsonWebKeyEncryptionAlgorithm

algorithm identifier

Name	Type	Description
A128CBC	string
A128CBCPAD	string
A128GCM	string
A128KW	string
A192CBC	string
A192CBCPAD	string
A192GCM	string
A192KW	string
A256CBC	string
A256CBCPAD	string
A256GCM	string
A256KW	string
RSA-OAEP	string
RSA-OAEP-256	string
RSA1_5	string

KeyOperationResult

The key operation result.

Name	Type	Description
aad	string
iv	string
kid	string	Key identifier
tag	string
value	string

KeyOperationsParameters

The key operations parameters.

Name	Type	Description
aad	string	Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms.
alg	JsonWebKeyEncryptionAlgorithm	algorithm identifier
iv	string	Cryptographically random, non-repeating initialization vector for symmetric algorithms.
tag	string	The tag to authenticate when performing decryption with an authenticated algorithm.
value	string

KeyVaultError

The key vault error exception.

Name	Type	Description
error	Error	The key vault server error.