AES_DECRYPT()
The AES_DECRYPT() function decrypts crypt_str with key_str using AES and returns the plaintext as a VARCHAR.
Description
The AES_DECRYPT() function decrypts crypt_str with key_str using AES and returns the plaintext as a VARCHAR. The encryption mode is selected by the session variable block_encryption_mode and must match the mode used to produce crypt_str.
MatrixOne currently supports two modes:
aes-128-ecb(default). Key is derived to 16 bytes; the optionalinit_vectorargument is ignored.aes-256-cbc. Key is derived to 32 bytes; theinit_vectorargument is required and must be at least 16 bytes, matching the IV used to encrypt.
The function returns NULL in any of the following cases:
crypt_strorkey_strisNULL.block_encryption_modeis set to an unsupported value.- CBC mode is selected but the IV is missing,
NULL, or shorter than 16 bytes. - Key derivation or the underlying AES operation fails (wrong key, tampered ciphertext, or bad padding).
Syntax
> AES_DECRYPT(crypt_str, key_str)
> AES_DECRYPT(crypt_str, key_str, init_vector)
Arguments
| Arguments | Description |
|---|---|
| crypt_str | Required. The ciphertext to decrypt. Accepts BLOB, VARCHAR, CHAR, or TEXT. |
| key_str | Required. The encryption key that was used to produce crypt_str. |
| init_vector | Optional. The initialization vector, required when block_encryption_mode selects a CBC mode. |
Examples
mysql> SET block_encryption_mode = 'aes-128-ecb';
mysql> SELECT AES_DECRYPT(AES_ENCRYPT('MatrixOne', 'my-secret-key'), 'my-secret-key');
+--------------------------------------------------------------------------+
| aes_decrypt(aes_encrypt(matrixone, my-secret-key), my-secret-key) |
+--------------------------------------------------------------------------+
| MatrixOne |
+--------------------------------------------------------------------------+