Working with keys using the Amazon KMS API and the Amazon SDK for PHP Version 3
The primary resources in Amazon Key Management Service (Amazon KMS) are Amazon KMS keys. You can use a KMS key to encrypt your data.
The following examples show how to:
-
Create a customer KMS key using CreateKey.
-
Generate a data key using GenerateDataKey.
-
View a KMS key using DescribeKey.
-
Get key IDs and key ARNS of KMS keys using ListKeys.
-
Enable KMS keys using EnableKey.
-
Disable KMS keys using DisableKey.
All the example code for the Amazon SDK for PHP is available here on
GitHub
Credentials
Before running the example code, configure your Amazon credentials, as described in Credentials. Then import the Amazon SDK for PHP, as described in Basic usage.
For more information about using Amazon Key Management Service (Amazon KMS), see the Amazon KMS Developer Guide.
Create a KMS key
To create a KMS key, use the CreateKey operation.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); //Creates a customer master key (CMK) in the caller's AWS account. $desc = "Key for protecting critical data"; try { $result = $KmsClient->createKey([ 'Description' => $desc, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }
Generate a data key
To generate a data encryption key, use the GenerateDataKey operation. This operation returns plaintext and encrypted copies of the data key that it creates. Specify the Amazon KMS key under which to generate the data key.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $keySpec = 'AES_256'; try { $result = $KmsClient->generateDataKey([ 'KeyId' => $keyId, 'KeySpec' => $keySpec, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }
View a KMS key
To get detailed information about a KMS key, including the KMS key’s Amazon Resource Name (ARN) and key state, use the DescribeKey operation.
DescribeKey
doesn’t get aliases. To get aliases, use the ListAliases
operation.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->describeKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }
Get the key ID and key ARNs of a KMS key
To get the ID and ARN of the KMS key, use the ListAliases operation.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $limit = 10; try { $result = $KmsClient->listKeys([ 'Limit' => $limit, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }
Enable a KMS key
To enable a disabled KMS key, use the EnableKey operation.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->enableKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }
Disable a KMS key
To disable a KMS key, use the DisableKey operation. Disabling a KMS key prevents it from being used.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->disableKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }