AWS Developer Blog

Using the Multipart Uploader with Client-Side Encryption for Amazon S3 in the AWS SDK for PHP

The AWS SDK for PHP released support for multipart uploads with client-side encryption in version 3.48.0 via the S3EncryptionMultipartUploader. With client-side encryption, data is encrypted and decrypted directly in your environment. This means that this data is encrypted before it’s transferred to Amazon S3, and you don’t rely on an external service to handle encryption for you.

Multipart uploads are designed to improve the upload experience for larger objects. With it, you can upload objects via parts that can be uploaded independently, in any order, and in parallel. You can use a multipart upload for objects from 5 MB to 5 TB in size.

The AWS SDK for PHP implements envelope encryption and uses OpenSSL for its encrypting and decrypting. The implementation is interoperable with other SDKs that match its feature support. It’s also compatible with the SDK’s promise-based asynchronous workflow.


To get started with these client-side encryption examples, you need the following:

Encrypted multipart uploads

The S3EncryptionMultipartUploader prepares the source stream for encryption before uploading. Creating an uploader is a similar experience to using the MultipartUploader and the S3EncryptionClient.

$kmsKeyArn = 'arn-to-the-kms-key';
// This materials provider handles generating a cipher key and
// initialization vector, as well as encrypting your cipher key via AWS KMS
$materialsProvider = new KmsMaterialsProvider(
    new KmsClient([
        'region' => 'us-east-1',
        'version' => 'latest',

$bucket = 'the-bucket-name';
$key = 'the-upload-key';
$cipherOptions = [
    'Cipher' => 'gcm'
    'KeySize' => 256,
    // Additional configuration options

// Let's construct our S3EncryptionMultipartUploader using an S3Client
$multipartUploader = new S3EncryptionMultipartUploader(
    new S3Client([
        'region' => 'us-east-1',
        'version' => 'latest',
        '@MaterialsProvider' => $materialsProvider,
        '@CipherOptions' => $cipherOptions,
        'bucket' => 'bucket',
        'key' => 'key',


Going further

The S3EncryptionMultipartUploader gives you access to other fields. These include an additional authentication data (‘Aad’) string to put in your $cipherOptions and the ability to define a MetadataStrategy. You can find more information about these topics in the S3 Client Side Encryption service guide.

You can also check out other AWS SDKs that support the Amazon S3 encryption client: