Menu
Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)

Specifying Server-Side Encryption Using the AWS SDK for PHP

This topic guides you through using classes from the AWS SDK for PHP to add server-side encryption to objects you are uploading to Amazon S3.

Note

This topic assumes that you are already following the instructions for Using the AWS SDK for PHP and Running PHP Examples and have the AWS SDK for PHP properly installed.

You can use the Aws\S3\S3Client::putObject() method to upload an object to Amazon S3. For a working sample of how to upload an object, see Upload an Object Using the AWS SDK for PHP.

To add the x-amz-server-side-encryption request header (see Specifying Server-Side Encryption Using the REST API) to your upload request, specify the array parameter's ServerSideEncryption key with the value AES256 as shown in the following PHP code sample.

Copy
use Aws\S3\S3Client; $bucket = '*** Your Bucket Name ***'; $keyname = '*** Your Object Key ***'; // $filepath should be absolute path to a file on disk $filepath = '*** Your File Path ***'; // Instantiate the client. $s3 = S3Client::factory(); // Upload a file with server-side encryption. $result = $s3->putObject(array( 'Bucket' => $bucket, 'Key' => $keyname, 'SourceFile' => $filepath, 'ServerSideEncryption' => 'AES256', ));

In response, Amazon S3 returns the x-amz-server-side-encryption header with the value of the encryption algorithm used to encrypt your object data.

To upload large objects using the multipart upload API, you can specify server-side encryption for the objects that you are uploading.

Determining Encryption Algorithm Used

To determine the encryption state of an existing object, retrieve the object metadata by calling the Aws\S3\S3Client::headObject() method as shown in the following PHP code sample.

Copy
use Aws\S3\S3Client; $bucket = '*** Your Bucket Name ***'; $keyname = '*** Your Object Key ***'; // Instantiate the client. $s3 = S3Client::factory(); // Check which server-side encryption algorithm is used. $result = $s3->headObject(array( 'Bucket' => $bucket, 'Key' => $keyname, )); echo $result['ServerSideEncryption'];

Changing Server-Side Encryption of an Existing Object (Copy Operation)

To change the encryption state of an existing object, make a copy of the object using the Aws\S3\S3Client::copyObject() method and delete the source object. Note that by default copyObject() will not encrypt the target, unless you explicitly request server-side encryption of the destination object using the array parameter's ServerSideEncryption key with the value AES256. The following PHP code sample makes a copy of an object and adds server-side encryption to the copied object.

Copy
use Aws\S3\S3Client; $sourceBucket = '*** Your Source Bucket Name ***'; $sourceKeyname = '*** Your Source Object Key ***'; $targetBucket = '*** Your Target Bucket Name ***'; $targetKeyname = '*** Your Target Object Key ***'; // Instantiate the client. $s3 = S3Client::factory(); // Copy an object and add server-side encryption. $result = $s3->copyObject(array( 'Bucket' => $targetBucket, 'Key' => $targetKeyname, 'CopySource' => "{$sourceBucket}/{$sourceKeyname}", 'ServerSideEncryption' => 'AES256', ));

For a working sample of how to copy an object, see Copy an Object Using the AWS SDK for PHP.

Related Resources