.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.TH nethsm-key-decrypt 1  "nethsm-key-decrypt " 
.SH NAME
nethsm\-key\-decrypt \- Decrypt a message using a key
.SH SYNOPSIS
\fBnethsm key decrypt\fR [\fB\-f\fR|\fB\-\-force\fR] [\fB\-i\fR|\fB\-\-initialization\-vector\fR] [\fB\-o\fR|\fB\-\-output\fR] [\fB\-a\fR|\fB\-\-auth\-passphrase\-file\fR] [\fB\-c\fR|\fB\-\-config\fR] [\fB\-l\fR|\fB\-\-label\fR] [\fB\-u\fR|\fB\-\-user\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fIKEY_ID\fR> <\fIMESSAGE\fR> [\fIDECRYPT_MODE\fR] 
.SH DESCRIPTION
Decrypt a message using a key
.PP
The chosen decryption mode must match the targeted key and the initialization vector (if applicable) must be identical to the one used for encryption.
.PP
System\-wide users in the "Operator" role can only decrypt messages using system\-wide keys.
Namespaced users in the "Operator" role can only decrypt messages using keys in their own namespace.
.PP
Requires authentication of a user in the "Operator" role that has access (see "nethsm key tag" and "nethsm user tag") to the targeted key.
.SH OPTIONS
.TP
\fB\-f\fR, \fB\-\-force\fR
Write to output file even if it exists already
.RS
May also be specified with the \fBNETHSM_FORCE\fR environment variable. 
.RE
.TP
\fB\-i\fR, \fB\-\-initialization\-vector\fR=\fIINITIALIZATION_VECTOR\fR
The path to a file containing the initialization vector (IV) for symmetric decryption

The IV can only be used when choosing symmetric decryption (i.e. with "AesCbc")
.RS
May also be specified with the \fBNETHSM_KEY_DECRYPT_IV\fR environment variable. 
.RE
.TP
\fB\-o\fR, \fB\-\-output\fR=\fIOUTPUT\fR
The path to a specific file to write the decrypted message to
.RS
May also be specified with the \fBNETHSM_KEY_DECRYPT_OUTPUT\fR environment variable. 
.RE
.TP
\fB\-a\fR, \fB\-\-auth\-passphrase\-file\fR=\fIAUTH_PASSPHRASE_FILE\fR
The path to a file containing a passphrase for authentication

The passphrase provided in the file must be the one for the user chosen for the command.

This option can be provided multiple times, which is needed for commands that require multiple roles at once.
With multiple passphrase files ordering matters, as the files are assigned to the respective user provided by the "\-\-user" option.
.RS
May also be specified with the \fBNETHSM_AUTH_PASSPHRASE_FILE\fR environment variable. 
.RE
.TP
\fB\-c\fR, \fB\-\-config\fR=\fICONFIG\fR
The path to a custom configuration file

If specified, the custom configuration file is used instead of the default configuration file location.
.RS
May also be specified with the \fBNETHSM_CONFIG\fR environment variable. 
.RE
.TP
\fB\-l\fR, \fB\-\-label\fR=\fILABEL\fR
A label uniquely identifying a device in the configuration file

Must be provided if more than one device is setup in the configuration file.
.RS
May also be specified with the \fBNETHSM_LABEL\fR environment variable. 
.RE
.TP
\fB\-u\fR, \fB\-\-user\fR=\fIUSER\fR
A user name which is used for a command

Can be provided, if no user name is setup in the configuration file for a device.
Must be provided, if several user names of the same target role are setup in the configuration file for a device.

This option can be provided multiple times, which is needed for commands that require multiple roles at once.

.RS
May also be specified with the \fBNETHSM_USER\fR environment variable. 
.RE
.TP
\fB\-h\fR, \fB\-\-help\fR
Print help (see a summary with \*(Aq\-h\*(Aq)
.TP
<\fIKEY_ID\fR>
The ID of the key to use for decryption
.RS
May also be specified with the \fBNETHSM_KEY_ID\fR environment variable. 
.RE
.TP
<\fIMESSAGE\fR>
The path to an encrypted message to decrypt
.RS
May also be specified with the \fBNETHSM_KEY_DECRYPT_MESSAGE\fR environment variable. 
.RE
.TP
[\fIDECRYPT_MODE\fR]
The decryption mode to use

One of ["AesCbc", "OaepMd5", "OaepSha1", "OaepSha224", "OaepSha256", "OaepSha384", "OaepSha512", "Pkcs1", "Raw"] (defaults to "Raw").
.RS
May also be specified with the \fBNETHSM_KEY_DECRYPT_MODE\fR environment variable. 
.RE