SubtleCrypto.decrypt()

Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

The decrypt() method of the SubtleCrypto interface decrypts some encrypted data. It takes as arguments a key to decrypt with, some optional extra parameters, and the data to decrypt (also known as "ciphertext"). It returns a Promise which will be fulfilled with the decrypted data (also known as "plaintext").

Syntax

decrypt(algorithm, key, data)

Parameters

algorithm

An object specifying the algorithm to be used, and any extra parameters as required. The values given for the extra parameters must match those passed into the corresponding encrypt() call.

  • To use RSA-OAEP, pass an object with the following properties.
    name

    A string. This should be set to RSA-OAEP.

    label Optional

    An ArrayBuffer, a TypedArray, or a DataView — an array of bytes that does not itself need to be encrypted but which should be bound to the ciphertext. A digest of the label is part of the input to the encryption operation.

    Unless your application calls for a label, you can just omit this argument and it will not affect the security of the encryption operation.

  • To use AES-CBC or AES-GCM pass an object with the properties given below:
    name

    A string indicating the name of the algorithm: AES-CBC, AES-GCM.

    iv

    An ArrayBuffer, a TypedArray, or a DataView. The initialization vector. Must be 16 bytes, unpredictable, and preferably cryptographically random. However, it need not be secret (for example, it may be transmitted unencrypted along with the ciphertext).

  • To use AES-CTR, pass an object with the following properties:
    name

    A string indicating the name of the algorithm: AES-CTR.

    counter

    An ArrayBuffer, a TypedArray, or a DataView — the initial value of the counter block. This must be 16 bytes long (the AES block size). The rightmost length bits of this block are used for the counter, and the rest is used for the nonce. For example, if length is set to 64, then the first half of counter is the nonce and the second half is used for the counter.

    length

    A Number — the number of bits in the counter block that are used for the actual counter. The counter must be big enough that it doesn't wrap: if the message is n blocks and the counter is m bits long, then the following must be true: n <= 2^m. The NIST SP800-38A standard, which defines CTR, suggests that the counter should occupy half of the counter block (see Appendix B.2), so for AES it would be 64.

key

A CryptoKey containing the key to be used for decryption. If using RSA-OAEP, this is the privateKey property of the CryptoKeyPair object.

data

An ArrayBuffer, a TypedArray, or a DataView containing the data to be decrypted (also known as ciphertext).

Return value

A Promise that fulfills with an ArrayBuffer containing the plaintext.

Exceptions

The promise is rejected when the following exceptions are encountered:

InvalidAccessError DOMException

Raised when the requested operation is not valid for the provided key (e.g. invalid encryption algorithm, or invalid key for the specified encryption algorithm*)*.

OperationError DOMException

Raised when the operation failed for an operation-specific reason (e.g. algorithm parameters of invalid sizes, or there was an error decrypting the ciphertext).

Supported algorithms

The decrypt() method supports the same algorithms as the encrypt() method.

Examples

Note: You can try the working examples on GitHub.

RSA-OAEP

This code decrypts ciphertext using RSA-OAEP. See the complete code on GitHub.

function decryptMessage(privateKey, ciphertext) {
  return window.crypto.subtle.decrypt(
    { name: "RSA-OAEP" },
    privateKey,
    ciphertext
  );
}

AES-CTR

This code decrypts ciphertext using AES in CTR mode. Note that counter must match the value that was used for encryption. See the complete code on GitHub.

function decryptMessage(key, ciphertext) {
  return window.crypto.subtle.decrypt(
    { name: "AES-CTR", counter, length: 64 },
    key,
    ciphertext
  );
}

AES-CBC

This code decrypts ciphertext using AES in CBC mode. Note that iv must match the value that was used for encryption. See the complete code on GitHub.

function decryptMessage(key, ciphertext) {
  return window.crypto.subtle.decrypt({ name: "AES-CBC", iv }, key, ciphertext);
}

AES-GCM

This code decrypts ciphertext using AES in GCM mode. Note that iv must match the value that was used for encryption. See the complete code on GitHub.

function decryptMessage(key, ciphertext) {
  return window.crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, ciphertext);
}

Specifications

Specification
Web Cryptography API
# SubtleCrypto-method-decrypt

Browser compatibility

BCD tables only load in the browser

See also