transit envelope decrypt

The transit envelope decrypt command uses the Transit plugin to decrypt data encryption keys (DEKs) stored with ciphertext to decrypt files and streams of arbitrary size without reading the plaintext into Vault.

Decryption happens entirely on the caller side. As a result, the caller must have write permissions on the decrypt endpoint for the given key encrypting key.

$ vault transit envelope decrypt [flags] <key_path> <file_path_1> [<file_path_2> .. <file_path_N>]

Command arguments

• key_path (string : "") - Path to the transit key for DEK/EDK generation. Must be in the form <mount>/keys/<key_name> where <mount> is the path to the Transit mount without namespaces and <key_name> is the target key.

• file_path (string : "") The path to a file to decrypt, or - to decrypt input from stdin. You cannot use a second file path when decrypting from stdin. By default, Vault writes the decrypted file to the same parent location as file_path and uses the input file name with the suffix removed as the output file name.

Command flags

• --quiet (bool: false) - Display no output unless there is an error.

• --output (string: "") - Write the decrypted information to the provided file path instead of the default location. You cannot use --output when decrypting multiple input files in a single command. You cannot use --output with --suffix.

• --suffix (string: ".vee") - Suffix to remove from output file names. You cannot use --suffix with --output.

• --aad (string: "") - Additional authenticated data as a base64 encoded binary blob. You can provide the data inline or as a file reference (@filename). Vault adds the extra data to the authentication present in the output. Decryption fails if you set add during encryption and the provided aad value does not match the original add value.

Examples

$ vault transit envelope decrypt \
  --output really-big-file2.zip \
  transit/keys/test-key          \
  really-big-file.zip.vee