**Example 1: To decrypt an encrypted message with a symmetric CMK (Linux and macOS)**

The following ``decrypt`` command example demonstrates the recommended way to decrypt data with the AWS CLI. This version shows how to decrypt data under a symmetric customer master key (CMK).

* Provide the ciphertext in a file. 

    In the value of the ``--ciphertext-blob`` parameter, use the ``fileb://`` prefix, which tells the CLI to read the data from a binary file. If the file is not in the current directory, type the full path to file. For more information about reading AWS CLI parameter values from a file, see `Loading AWS CLI parameters from a file <https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters-file.html>` in the *AWS Command Line Interface User Guide* and `Best Practices for Local File Parameters<https://aws.amazon.com/blogs/developer/best-practices-for-local-file-parameters/>` in the *AWS Command Line Tool Blog*.

* Specify the CMK to decrypt the ciphertext.

    The ``--key-id`` parameter is not required when decrypting with symmetric CMKs. AWS KMS can get the CMK that was used to encrypt the data from the metadata in the ciphertext blob. But it's always a best practice to specify the CMK you are using. This practice ensures that you use the CMK that you intend, and prevents you from inadvertently decrypting a ciphertext using a CMK you do not trust. 

* Request the plaintext output as a text value.

    The ``--query`` parameter tells the CLI to get only the value of the ``Plaintext`` field from the output. The ``--output`` parameter returns the output as text. 

* Base64-decode the plaintext and save it in a file.

    The  following example pipes (|) the value of the ``Plaintext`` parameter to the Base64 utility, which decodes it. Then, it redirects (>) the decoded output to the ``ExamplePlaintext`` file. 

Before running this command, replace the example key ID with a valid key ID from your AWS account. ::

    aws kms decrypt \
        --ciphertext-blob fileb://ExampleEncryptedFile \
        --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
        --output text \
        --query Plaintext | base64 \
        --decode > ExamplePlaintextFile

This command produces no output. The output from the ``decrypt`` command is base64-decoded and saved in a file.

For more information, see `Decrypt <https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html>`__ in the *AWS Key Management Service API Reference*.

**Example 2: To decrypt an encrypted message with a symmetric CMK (Windows command prompt)**

The following example is the same as the previous one except that it uses the ``certutil`` utility to Base64-decode the plaintext data. This procedure requires two commands, as shown in the following examples. 

Before running this command, replace the example key ID with a valid key ID from your AWS account. ::

    aws kms decrypt ^
        --ciphertext-blob fileb://ExampleEncryptedFile ^
        --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ^
        --output text ^
        --query Plaintext > ExamplePlaintextFile.base64

Run the ``certutil`` command. ::

    certutil -decode ExamplePlaintextFile.base64 ExamplePlaintextFile

Output::

    Input Length = 18
    Output Length = 12
    CertUtil: -decode command completed successfully.

For more information, see `Decrypt <https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html>`__ in the *AWS Key Management Service API Reference*.