Symmetric keys and private keys can be used to decrypt data. Only the user identified by the hsm-admin argument or a user granted the Decrypt operation (by the HSM admin) can decrypt data with keys stored in the HSM.
For symmetric keys, only AES GCM is supported. CKM_RSA_PKCS_OAEP and the now deprecated but still widely used CKM_RSA_PKCS (v1.5) are supported for RSA keys. The hashing algorithm is fixed to SHA256.
To decrypt a message with the private key hsm::4::hsm::4::my_rsa_key and the CKM RSA PKCS OAEP algorithm, the following command can be used:
❯ cosmian kms rsa decrypt --key-id hsm::4::my_rsa_key --encryption-algorithm ckm-rsa-pkcs-oaep \
--output-file /tmp/secret.recovered.txt /tmp/secret.enc
The decrypted file is available at /tmp/secret.plain
To decrypt a message using AES GCM with the symmetric key hsm::4::my_aes_key, the following command can be used:
> cosmian kms sym decrypt --key-id hsm::4::my_aes_key --data-encryption-algorithm aes-gcm
--output-file /tmp/secret.recovered.txt /tmp/secret.enc
The decrypted file is available at "/tmp/secret.recoverd.txt"