Credentials Create a KMS key Generate a data key View a KMS key Get the key ID and key ARNs of a KMS key Enable a KMS key Disable a KMS key

Working with keys using the AWS KMS API and the AWS SDK for PHP Version 3

The primary resources in AWS Key Management Service (AWS KMS) are AWS KMS keys. You can use a KMS key to encrypt your data.

The following examples show how to:

Create a customer KMS key using CreateKey.
Generate a data key using GenerateDataKey.
View a KMS key using DescribeKey.
Get key IDs and key ARNS of KMS keys using ListKeys.
Enable KMS keys using EnableKey.
Disable KMS keys using DisableKey.

All the example code for the AWS SDK for PHP is available here on GitHub.

Credentials

Before running the example code, configure your AWS credentials, as described in Credentials. Then import the AWS SDK for PHP, as described in Basic usage.

For more information about using AWS Key Management Service (AWS KMS), see the AWS KMS Developer Guide.

Create a KMS key

To create a KMS key, use the CreateKey operation.

Imports



require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code


$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

//Creates a customer master key (CMK) in the caller's AWS account.
$desc = "Key for protecting critical data";

try {
    $result = $KmsClient->createKey([
        'Description' => $desc,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

Generate a data key

To generate a data encryption key, use the GenerateDataKey operation. This operation returns plaintext and encrypted copies of the data key that it creates. Specify the AWS KMS key under which to generate the data key.

Imports



require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code


$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$keySpec = 'AES_256';

try {
    $result = $KmsClient->generateDataKey([
        'KeyId' => $keyId,
        'KeySpec' => $keySpec,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

View a KMS key

To get detailed information about a KMS key, including the KMS key’s Amazon Resource Name (ARN) and key state, use the DescribeKey operation.

DescribeKey doesn’t get aliases. To get aliases, use the ListAliases operation.

Imports



require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code


$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';

try {
    $result = $KmsClient->describeKey([
        'KeyId' => $keyId,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

Get the key ID and key ARNs of a KMS key

To get the ID and ARN of the KMS key, use the ListAliases operation.

Imports



require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code


$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

$limit = 10;

try {
    $result = $KmsClient->listKeys([
        'Limit' => $limit,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

Enable a KMS key

To enable a disabled KMS key, use the EnableKey operation.

Imports



require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code


$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';

try {
    $result = $KmsClient->enableKey([
        'KeyId' => $keyId,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

Disable a KMS key

To disable a KMS key, use the DisableKey operation. Disabling a KMS key prevents it from being used.

Imports



require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code


$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';

try {
    $result = $KmsClient->disableKey([
        'KeyId' => $keyId,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Key Management Service

Encrypting and decrypting data keys