AWS SDK Version 3 for .NET
API Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Container for the parameters to the Decrypt operation. Decrypts ciphertext. Ciphertext is plaintext that has been previously encrypted by using any of the following operations:

Note that if a caller has been granted access permissions to all keys (through, for example, IAM user policies that grant Decrypt permission on all resources), then ciphertext encrypted by using keys in other accounts where the key grants access to the caller can be decrypted. To remedy this, we recommend that you do not grant Decrypt access in an IAM user policy. Instead grant Decrypt access only in key policies. If you must grant Decrypt access in an IAM user policy, you should scope the resource to specific keys or to specific trusted accounts.

Inheritance Hierarchy


Namespace: Amazon.KeyManagementService.Model
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z


public class DecryptRequest : AmazonKeyManagementServiceRequest

The DecryptRequest type exposes the following members


Public Method DecryptRequest()


Public Property CiphertextBlob System.IO.MemoryStream

Gets and sets the property CiphertextBlob.

Ciphertext to be decrypted. The blob includes metadata.

Public Property EncryptionContext System.Collections.Generic.Dictionary<System.String, System.String>

Gets and sets the property EncryptionContext.

The encryption context. If this was specified in the Encrypt function, it must be specified here or the decryption operation will fail. For more information, see Encryption Context.

Public Property GrantTokens System.Collections.Generic.List<System.String>

Gets and sets the property GrantTokens.

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.


The following example decrypts data that was encrypted with a customer master key (CMK) in AWS KMS.

To decrypt data

var response = client.Decrypt(new DecryptRequest 
    CiphertextBlob = new MemoryStream() // The encrypted data (ciphertext).

string keyId = response.KeyId; // The Amazon Resource Name (ARN) of the CMK that was used to decrypt the data.
MemoryStream plaintext = response.Plaintext; // The decrypted (plaintext) data.


Version Information

.NET Standard:
Supported in: 1.3

.NET Framework:
Supported in: 4.5, 4.0, 3.5

Portable Class Library:
Supported in: Windows Store Apps
Supported in: Windows Phone 8.1
Supported in: Xamarin Android
Supported in: Xamarin iOS (Unified)
Supported in: Xamarin.Forms