decrypt_bitstream - 2023.2 English

Vivado Design Suite Tcl Command Reference Guide (UG835)

Document ID
Release Date
2023.2 English

Decrypt an AES-GCM encrypted bitstream


decrypt_bitstream ‑encrypted_file <arg> ‑keyfile <arg> [‑force] [‑quiet]
    [‑verbose] <file>


Name Description
-encrypted_file Input AES-GCM encrypted bitstream (.bit or .rbt)
-keyfile File containing encryption keys
[-force] Overwrite existing file
[-quiet] Ignore command errors
[-verbose] Suspend message limits during command execution
<file> Output decrypted bitstream (.bit, .bin or .rbt)




During implementation of secure encrypted AMD UltraScale™ architecture designs, bitstream-level verification must be performed on the final bitstream against the "golden" bitstream of the AMD tested Security Monitor (SecMon) IP.

The decrypt_bitstream command takes an AES-GCM encrypted bitstream file (.bit or .rbt) from an implemented design that incorporates the SecMon IP, and an encryption key file (.nky or .nkz), and returns an unencrypted bitstream file. The decrypted bitstream can then be used to complete the bitstream verification process.

This command returns the requested file if successful, or returns an error if it fails.


-encrypted_file <arg> - (Required) Specifies the AES-GCM encrypted bitstream (.bit or .rbt) to be decrypted.

-keyfile <arg> - (Required) Specifies the name of the encryption key file (.nky or .nkz). This is necessary for decrypting the encrypted bitstream.

-force - (Optional) Overwrite an existing file of the same name.

-quiet - (Optional) Execute the command quietly, returning no messages from the command. The command also returns TCL_OK regardless of any errors encountered during execution.
Note: Any errors encountered on the command-line, while launching the command, will be returned. Only errors occurring inside the command will be trapped.
-verbose - (Optional) Temporarily override any message limits and return all messages from this command.
Note: Message limits can be defined with the set_msg_config command.

<file> - (Required) Write the decrypted bitstream in standard format (.bit) or without header information (.bin).

Note: If the path is not specified as part of the file name, the file will be written into the current working directory, or the directory from which the tool was launched.


The following example decrypts the specified encrypted bitstream:

decrypt_bitstream -encrypted_file C:/Data/myDesign.bit \
   -keyfile C:/Data/key.nky -force C:/Data/myDesign_decrypted.bit

See Also