// Determine key size based on cipher ID for AES-256 support
        int keyLength = getKeyLength();
        String transformation;

        // Select appropriate AES algorithm based on key length
        if (keyLength == 32) {
            // AES-256 support
            transformation = "AES/GCM/NoPadding";
        } else if (keyLength == 16) {
            // AES-128 (existing)

/**
 * Secure credential storage with encryption at rest.
 *
 * Provides secure storage of passwords and other sensitive credentials
 * using AES-GCM encryption with PBKDF2 key derivation.
 *
 * Features:
 * - Encrypts credentials at rest using AES-256-GCM
 * - Uses PBKDF2 for key derivation from master password
 * - Secure wiping of sensitive data
 * - Thread-safe operations
 * - Protection against timing attacks

        byte[] key2 = new byte[16];
        new SecureRandom().nextBytes(key1);
        new SecureRandom().nextBytes(key2);

        keyManager.storeSessionKey(sessionId1, key1, "AES");
        keyManager.storeSessionKey(sessionId2, key2, "AES");

        byte[] retrieved1 = keyManager.getRawKey(sessionId1);
        byte[] retrieved2 = keyManager.getRawKey(sessionId2);

            String archiveId = sessionId + ".v" + currentVersion;
            storeSessionKeyInternal(archiveId, currentKey, "AES");

            // Store new key
            storeSessionKeyInternal(sessionId, newKey, "AES");
            keyVersions.put(sessionId, newVersion);
            keyCreationTimes.put(sessionId, System.currentTimeMillis());

    }

    @Test
    @DisplayName("Should support AES-256 cipher constants")
    void testAES256CipherConstants() {
        // Verify AES-256 constants are defined
        assertEquals(0x0003, Smb2EncryptionContext.CIPHER_AES_256_CCM, "AES-256-CCM constant should be defined");
        assertEquals(0x0004, Smb2EncryptionContext.CIPHER_AES_256_GCM, "AES-256-GCM constant should be defined");

        }

        @Test
        @DisplayName("createEncryptionContext selects AES-CCM for SMB 3.0 and AES-GCM for SMB 3.1.1")
        void createEncryptionContext_happyDialects() throws Exception {
            byte[] sessionKey = new byte[16];
            byte[] preauth = new byte[16];

            // SMB 3.0 -> AES-128-CCM
            setField(transport, "smb2", true);

- [PRF](#prf): HMAC-SHA-256
- [AEAD](#aead): AES-256-GCM if the CPU supports AES-NI, ChaCha20-Poly1305 otherwise. More specifically AES-256-GCM is only selected for X86-64 CPUs with AES-NI extension.

    private static final int SIGNATURE_OFFSET = 48;
    private static final int SIGNATURE_LENGTH = 16;

    @BeforeAll
    static void setupClass() {
        // Ensure BouncyCastle provider is available for AES-CMAC
        if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    @BeforeEach
    void setup() {

```java
public class SecureHandleStorage {
    private final SecretKey encryptionKey;
    
    public void saveEncrypted(HandleInfo handle, Path file) throws Exception {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(Cipher.ENCRYPT_MODE, encryptionKey);
        
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        try (CipherOutputStream cos = new CipherOutputStream(baos, cipher);

     * @since 2.2
     */
    String getPreferredCiphers();

    /**
     * Property {@code jcifs.smb.client.aes256Enabled} (boolean, default true)
     *
     * @return whether AES-256 encryption ciphers are enabled for SMB3.x
     * @since 2.2
     */
    boolean isAES256Enabled();

    /**
     * Property {@code jcifs.smb.client.compressionEnabled} (boolean, default false)
     *