return decrypted;
    }

    /**
     * Decrypts the given data.
     *
     * @param data
     *            the data to decrypt
     * @return the decrypted data
     * @deprecated Use {@link #decrypt(byte[])} instead. This method name contains a typo.
     */
    @Deprecated
    public byte[] decrypto(final byte[] data) {
        return decrypt(data);
    }

    /**

        byte[] result = cipher.doFinal(data);

        decrypt = new byte[result.length];
        System.arraycopy(result, 0, decrypt, 0, result.length);

        int tempSize = decrypt.length - 24;

        byte[] output = new byte[tempSize];
        System.arraycopy(decrypt, 24, output, 0, tempSize);

        return output;
    }

unique, randomly generated secret key per object also known as, Object Encryption Key ([OEK](#oek)). Neither the client-provided SSE-C key nor the KMS-managed key is directly used to en/decrypt an object. Instead, the OEK is stored as part of the object metadata next to the object in an encrypted form. To en/decrypt the OEK another secret key is needed also known as, Key Encryption Key ([KEK](#kek)).

The MinIO server runs a key-derivation algorithm to generate the KEK using a pseudo-random...

    }

    /// Encrypt a block of bytes.
    /**
     * Encrypts an 8-byte block using DES
     * @param clearText the 8-byte plaintext block
     * @param cipherText the output 8-byte ciphertext block
     */
    public void encrypt(final byte[] clearText, final byte[] cipherText) {
        encrypt(clearText, 0, cipherText, 0);
    }

    /// Decrypt a block of bytes.
    /**

        byte[] salt = storage.getSalt();

        // Encrypt with first storage
        byte[] encrypted = storage.encryptCredentials(plaintext);

        // Create new storage with same salt
        SecureCredentialStorage storage2 = new SecureCredentialStorage(masterPassword.clone(), salt);

        try {
            // Should be able to decrypt with same salt and password

	k.updateMetrics(err, time.Since(start))

	return dek, err
}

// Decrypt decrypts a ciphertext using the master key req.Name.
// It returns ErrKeyNotFound if the key does not exist.
func (k *KMS) Decrypt(ctx context.Context, req *DecryptRequest) ([]byte, error) {
	start := time.Now()
	plaintext, err := k.conn.Decrypt(ctx, req)
	k.updateMetrics(err, time.Since(start))

	return plaintext, err
}

}

// Equal returns true if and only if the two ETags are
// identical.
func Equal(a, b ETag) bool { return bytes.Equal(a, b) }

// Decrypt decrypts the ETag with the given key.
//
// If the ETag is not encrypted, Decrypt returns
// the ETag unmodified.
func Decrypt(key []byte, etag ETag) (ETag, error) {
	const HMACContext = "SSE-etag"

	if !etag.IsEncrypted() {
		return etag, nil
	}

	if err != nil {
		return encryptedETag
	}
	return hex.EncodeToString(etagBytes)
}

// GetDecryptedRange - To decrypt the range (off, length) of the
// decrypted object stream, we need to read the range (encOff,
// encLength) of the encrypted object stream to decrypt it, and
// compute skipLen, the number of bytes to skip in the beginning of
// the encrypted range.
//

* Nginx
* HAProxy

## Let's Encrypt { #lets-encrypt }

Before Let's Encrypt, these **HTTPS certificates** were sold by trusted third parties.

The process to acquire one of these certificates used to be cumbersome, require quite some paperwork and the certificates were quite expensive.

But then **<a href="https://letsencrypt.org/" class="external-link" target="_blank">Let's Encrypt</a>** was created.

            byte[] decryptedData = createDecryptedDataBytes(USER_PRINCIPAL_NAME, USER_REALM);
            mockedEncData.when(() -> KerberosEncData.decrypt(ENCRYPTED_DATA, kerberosKey, ENCRYPTION_TYPE)).thenReturn(decryptedData);
            when(kerberosKey.getKeyType()).thenReturn(ENCRYPTION_TYPE);

            KerberosTicket ticket = new KerberosTicket(validToken, (byte) 0, keys);