# Encrypting and decrypting Amazon KMS data keys using the Amazon SDK for PHP Version 3 Encrypting and decrypting data keys Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys. You can use an Amazon Key Management Service's (Amazon KMS) [Amazon KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#kms_keys) to generate, encrypt, and decrypt data keys. The following examples show how to: + Encrypt a data key using [Encrypt](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#encrypt). + Decrypt a data key using [Decrypt](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#decrypt). + Re-encrypt a data key with a new KMS key using [ReEncrypt](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#reencrypt). All the example code for the Amazon SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code). ## Credentials Before running the example code, configure your Amazon credentials, as described in [Authenticating with Amazon using Amazon SDK for PHP Version 3](credentials.md). Then import the Amazon SDK for PHP, as described in [Installing the Amazon SDK for PHP Version 3](getting-started_installation.md). For more information about using Amazon Key Management Service (Amazon KMS), see the [Amazon KMS Developer Guide](https://docs.amazonaws.cn/kms/latest/developerguide/). ## Encrypt The [Encrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Encrypt.html) operation is designed to encrypt data keys, but it’s not frequently used. The [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html) and [GenerateDataKeyWithoutPlaintext](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) operations return encrypted data keys. You might use the `Encypt` method when you’re moving encrypted data to a new Amazon Region and want to encrypt its data key by using a KMS key in the new Region. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $message = pack('c*', 1, 2, 3, 4, 5, 6, 7, 8, 9, 0); try { $result = $KmsClient->encrypt([ 'KeyId' => $keyId, 'Plaintext' => $message, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Decrypt To decrypt a data key, use the [Decrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Decrypt.html) operation. The `ciphertextBlob` that you specify must be the value of the `CiphertextBlob` field from a [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html), [GenerateDataKeyWithoutPlaintext](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html), or [Encrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Encrypt.html) response. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $ciphertext = 'Place your cipher text blob here'; try { $result = $KmsClient->decrypt([ 'CiphertextBlob' => $ciphertext, ]); $plaintext = $result['Plaintext']; var_dump($plaintext); } catch (AwsException $e) { // Output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Reencrypt To decrypt an encrypted data key, and then immediately reencrypt the data key under a different KMS key, use the [ReEncrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_ReEncrypt.html) operation. The operations are performed entirely on the server side within Amazon KMS, so they never expose your plaintext outside of Amazon KMS. The `ciphertextBlob` that you specify must be the value of the `CiphertextBlob` field from a [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html), [GenerateDataKeyWithoutPlaintext](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html), or [Encrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Encrypt.html) response. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $ciphertextBlob = 'Place your cipher text blob here'; try { $result = $KmsClient->reEncrypt([ 'CiphertextBlob' => $ciphertextBlob, 'DestinationKeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ```