AWS SDK for PHP
Developer Guide

Working with Keys Using the AWS KMS API and the AWS SDK for PHP Version 3

The primary resources in AWS Key Management Service (AWS KMS) are customer master keys (CMKs). You can use a CMK to encrypt your data.

The following examples show how to:

All the example code for the AWS SDK for PHP Version 3 is available here on GitHub.

Credentials

Before running the example code, configure your AWS credentials, as described in Credentials for the AWS SDK for PHP Version 3. Then import the AWS SDK for PHP, as described in Basic Usage Patterns of the AWS SDK for PHP Version 3.

For more information about using AWS Key Management Service (AWS KMS), see the AWS KMS Developer Guide.

Create a CMK

To create a CMK, use the CreateKey operation.

Imports

require 'vendor/autoload.php'; use Aws\Kms\KmsClient; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); //Creates a customer master key (CMK) in the caller's AWS account. $desc = "Key for protecting critical data"; try { $result = $KmsClient->createKey([ 'Description' => $desc, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Generate a Data Key

To generate a data encryption key, use the GenerateDataKey operation. This operation returns plaintext and encrypted copies of the data key that it creates. You must specify the customer master key (CMK) under which to generate the data key.

Imports

require 'vendor/autoload.php'; use Aws\Kms\KmsClient; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $keySpec = 'AES_256'; try { $result = $KmsClient->generateDataKey([ 'KeyId' => $keyId, 'KeySpec' => $keySpec, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

View a CMK

To get detailed information about a CMK, including the CMK's Amazon Resource Name (ARN) and key state, use the DescribeKey operation.

DescribeKey doesn't get aliases. To get aliases, use the ListAliases operation.

Imports

require 'vendor/autoload.php'; use Aws\Kms\KmsClient; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->describeKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Get the Key ID and Key ARNs of a CMK

To get the ID and ARN of the CMK, use the ListAliases operation.

Imports

require 'vendor/autoload.php'; use Aws\Kms\KmsClient; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $limit = 10; try { $result = $KmsClient->listKeys([ 'Limit' => $limit, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Enable a CMK

To enable a disabled CMK, use the EnableKey operation.

Imports

require 'vendor/autoload.php'; use Aws\Kms\KmsClient; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->enableKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Disable a CMK

To disable a CMK, use the DisableKey operation. Disabling a CMK prevents it from being used.

Imports

require 'vendor/autoload.php'; use Aws\Kms\KmsClient; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->disableKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }