AWS SDK for PHP
Developer Guide

Encrypting and Decrypting AWS KMS Data Keys Using the AWS SDK for PHP Version 3

Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.

You can use a AWS Key Management Service (AWS KMS) customer master key (CMK) to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys. You must use and manage data keys outside of AWS KMS.

The following examples show how to:

  • Encrypt a data key using Encrypt.

  • Decrypt a data key using Decrypt.

  • Re-encrypt a data key with a new CMK using ReEncrypt.

All the example code for the AWS SDK for PHP Version 3 is available here on GitHub.

Credentials

Before running the example code, configure your AWS credentials, as described in Credentials for the AWS SDK for PHP Version 3. Then import the AWS SDK for PHP, as described in Basic Usage Patterns of the AWS SDK for PHP Version 3.

For more information about using AWS Key Management Service (AWS KMS), see the AWS KMS Developer Guide.

Encrypt

The Encrypt operation is designed to encrypt data keys, but it's not frequently used. The GenerateDataKey and GenerateDataKeyWithoutPlaintext operations return encrypted data keys. You might use the Encypt method when you're moving encrypted data to a new AWS Region and want to encrypt its data key by using a CMK in the new Region.

Imports

require 'vendor/autoload.php'; use Aws\Kms\KmsClient; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $message = pack('c*', 1, 2, 3, 4, 5, 6, 7, 8, 9, 0); try { $result = $KmsClient->encrypt([ 'KeyId' => $keyId, 'Plaintext' => $message, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Decrypt

To decrypt a data key, use the Decrypt operation.

The ciphertextBlob that you specify must be the value of the CiphertextBlob field from a GenerateDataKey, GenerateDataKeyWithoutPlaintext, or Encrypt response.

Imports

require 'vendor/autoload.php'; use Aws\Kms\KmsClient; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $ciphertext = 'Place your cipher text blob here'; try { $result = $KmsClient->decrypt([ 'CiphertextBlob' => $ciphertext, ]); $plaintext = $result['Plaintext']; var_dump($plaintext); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

ReEncrypt

To decrypt an encrypted data key, and then immediately re-encrypt the data key under a different CMK, use the ReEncrypt operation. The operations are performed entirely on the server side within AWS KMS, so they never expose your plaintext outside of AWS KMS.

The ciphertextBlob that you specify must be the value of the CiphertextBlob field from a GenerateDataKey, GenerateDataKeyWithoutPlaintext, or Encrypt response.

Imports

require 'vendor/autoload.php'; use Aws\Kms\KmsClient; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $ciphertextBlob = 'Place your cipher text blob here'; try { $result = $KmsClient->reEncrypt([ 'CiphertextBlob' => $ciphertextBlob, 'DestinationKeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

On this page: