Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)
AWS Documentation » Amazon Simple Storage Service (S3) » Developer Guide » Data Protection » Using Data Encryption » Using Server-Side Encryption » Specifying Server-Side Encryption Using the AWS SDK for PHP
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Specifying Server-Side Encryption Using the AWS SDK for PHP

When using the AWS SDK for PHP to upload an object, you can use the AmazonS3::create_object() method to upload an object. To add the x-amz-server-side-encryption request header (see Specifying Server-Side Encryption Using REST API) to your request, specify the array parameter provided by this method. In the array parameter, set the encryption key with value AES256 as shown in the following PHP code sample.

// Instantiate the class.
$s3 = new AmazonS3();

$response = $s3->create_object(
    $bucket,
    $keyname1,
     array('fileUpload' => $filepath,
           'encryption' => 'AES256')
    );
print_r($response);

In response, Amazon S3 returns the x-amz-server-side-encryption header with the value of the encryption algorithm used to encrypt your object data.

For a working sample of how to upload an object, see Upload an Object Using the AWS SDK for PHP.

To upload large objects using the multipart upload API, you can specify server-side encryption for the objects that you are uploading.

  • When using the low-level multipart upload API (see Using the Low-Level PHP API for Multipart Upload), you can specify server-side encryption when you call the AmazonS3::initiate_multipart_upload() method. You add the array parameter and set the encryption key with the value of the encryption algorithm AES256.

  • When using the high-level multipart upload API (see Using the High-Level PHP API for Multipart Upload), AmazonS3::create_mpu_object(), the API does not support the specification of server-side encryption.

Determining Encryption Algorithm Used

To determine the encryption state of an existing object, retrieve the object metadata by calling the get_object_headers method as shown in the following PHP code sample. For the object that is encrypted on the server-side, Amazon S3 returns the x-amz-server-side-encryption header with the value of the encryption algorithm used.

$s3 = new AmazonS3();

$response = $s3->get_object_headers($bucket, $keyname);

header('Content-Type: text/plain; charset=utf-8');
print_r($response);


if ($response->isOK())
{
    echo 'Object headers retrieved!';
}

Changing Server-Side Encryption of an Existing Object (Copy Operation)

To change the encryption state of an existing object, make a copy of the object and delete the source object. Note that by default the copy API will not encrypt the target, unless you explicitly request server-side encryption of the destination object. You must add the optional array parameter and set the encryption. The following PHP code sample makes a copy of an object. The request explicitly specifies server-side encryption for the destination object.

$sourcebucket = '*** Source bucket ***';
$sourcekeyname = '*** Source object key ***';

$targetbucket = '*** Target bucket ***';
$targetkeyname = '*** Target object key ***';

// Instantiate the class.
$s3 = new AmazonS3();

// Copy the object.
$response = $s3->copy_object(
        array( // Source.
           'bucket' => $sourcebucket,
           'filename' => $sourcekeyname
        ),
        array( // Target.
           'bucket' => $targetbucket,
           'filename' => $targetkeyname
           //'encryption' => 'AES256'
        ),
        array( // Optional parameters.
        'encryption' => 'AES256'
        )
);

For a working sample of how to copy an object, see Copy an Object Using the AWS SDK for PHP.

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...