Working with keys using the Amazon KMS API and the Amazon SDK for PHP Version 3 - Amazon SDK for PHP
CredentialsCreate a KMS keyGenerate a data keyView a KMS keyGet the key ID and key ARNs of a KMS keyEnable a KMS keyDisable a KMS key
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with keys using the Amazon KMS API and the Amazon SDK for PHP Version 3

The primary resources in Amazon Key Management Service (Amazon KMS) are Amazon KMS keys. You can use a KMS key to encrypt your data.

The following examples show how to:

All the example code for the Amazon SDK for PHP is available here on GitHub.

Credentials

Before running the example code, configure your Amazon credentials, as described in Credentials. Then import the Amazon SDK for PHP, as described in Basic usage.

For more information about using Amazon Key Management Service (Amazon KMS), see the Amazon KMS Developer Guide.

Create a KMS key

To create a KMS key, use the CreateKey operation.

Imports 


require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code 

$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

//Creates a customer master key (CMK) in the caller's AWS account.
$desc = "Key for protecting critical data";

try {
    $result = $KmsClient->createKey([
        'Description' => $desc,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

Generate a data key

To generate a data encryption key, use the GenerateDataKey operation. This operation returns plaintext and encrypted copies of the data key that it creates. Specify the Amazon KMS key under which to generate the data key.

Imports 


require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code 

$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$keySpec = 'AES_256';

try {
    $result = $KmsClient->generateDataKey([
        'KeyId' => $keyId,
        'KeySpec' => $keySpec,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

View a KMS key

To get detailed information about a KMS key, including the KMS key’s Amazon Resource Name (ARN) and key state, use the DescribeKey operation.

DescribeKey doesn’t get aliases. To get aliases, use the ListAliases operation.

Imports 


require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code 

$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';

try {
    $result = $KmsClient->describeKey([
        'KeyId' => $keyId,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

Get the key ID and key ARNs of a KMS key

To get the ID and ARN of the KMS key, use the ListAliases operation.

Imports 


require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code 

$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

$limit = 10;

try {
    $result = $KmsClient->listKeys([
        'Limit' => $limit,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

Enable a KMS key

To enable a disabled KMS key, use the EnableKey operation.

Imports 


require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code 

$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';

try {
    $result = $KmsClient->enableKey([
        'KeyId' => $keyId,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}

Disable a KMS key

To disable a KMS key, use the DisableKey operation. Disabling a KMS key prevents it from being used.

Imports 


require 'vendor/autoload.php';

use Aws\Exception\AwsException;

Sample Code 

$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'us-east-2'
]);

$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';

try {
    $result = $KmsClient->disableKey([
        'KeyId' => $keyId,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    echo $e->getMessage();
    echo "\n";
}