/**
     * Decrypts the given data with the specified key.
     *
     * @param data
     *            the data to decrypt
     * @param key
     *            the key to use for decryption
     * @return the decrypted data
     */
    public byte[] decrypt(final byte[] data, final Key key) {
        final Cipher cipher = pollDecryptoCipher(key);
        byte[] decrypted;
        try {

                if (logger.isDebugEnabled()) {
                    logger.debug("Failed to decrypt {}", rolesStr, e);
                }
                return;
            }
        }

        if (logger.isDebugEnabled()) {
            logger.debug("role: original: {}, decrypto: {}", value, rolesStr);
        }

        if (valueSeparator.length() > 0) {

	case crypto.SSEC:
		objectKey := crypto.GenerateKey(key, rand.Reader)
		sealedKey = objectKey.Seal(key, crypto.GenerateIV(rand.Reader), crypto.SSEC.String(), bucket, object)
		crypto.SSEC.CreateMetadata(metadata, sealedKey)
		return objectKey, nil
	default:
		return crypto.ObjectKey{}, fmt.Errorf("encryption type '%v' not supported", kind)
	}
}

import java.util.Enumeration;
import java.util.List;
import java.util.Map;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.Mac;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.kerberos.KerberosKey;

## Server-Side Encryption

MinIO supports two different types of server-side encryption ([SSE](#sse)):

- **SSE-C**: The MinIO server en/decrypts an object with a secret key provided by the S3 client as part of the HTTP request headers. Therefore, [SSE-C](#ssec) requires TLS/HTTPS.
- **SSE-S3**: The MinIO server en/decrypts an object with a secret key managed by a KMS. Therefore, MinIO requires a valid KMS configuration for [SSE-S3](#sses3).

	k.updateMetrics(err, time.Since(start))

	return dek, err
}

// Decrypt decrypts a ciphertext using the master key req.Name.
// It returns ErrKeyNotFound if the key does not exist.
func (k *KMS) Decrypt(ctx context.Context, req *DecryptRequest) ([]byte, error) {
	start := time.Now()
	plaintext, err := k.conn.Decrypt(ctx, req)
	k.updateMetrics(err, time.Since(start))

	return plaintext, err
}

}

// Equal returns true if and only if the two ETags are
// identical.
func Equal(a, b ETag) bool { return bytes.Equal(a, b) }

// Decrypt decrypts the ETag with the given key.
//
// If the ETag is not encrypted, Decrypt returns
// the ETag unmodified.
func Decrypt(key []byte, etag ETag) (ETag, error) {
	const HMACContext = "SSE-etag"

	if !etag.IsEncrypted() {
		return etag, nil
	}

            mockedEncData.when(() -> KerberosEncData.decrypt(ENCRYPTED_DATA, kerberosKey, ENCRYPTION_TYPE))
                    .thenThrow(new GeneralSecurityException("Decryption error"));

            PACDecodingException e = assertThrows(PACDecodingException.class, () -> new KerberosTicket(token, (byte) 0, keys));
            assertTrue(e.getMessage().startsWith("Decryption failed"));
        }
    }

    @Test

        assertTrue(encrypted.length >= 52, "Encrypted message should include transform header");

        // When - Decrypt
        byte[] decrypted = context.decryptMessage(encrypted);

        // Then - Verify decryption
        assertArrayEquals(plaintext, decrypted, "Decrypted message should match original plaintext");
    }

    @Test
    @DisplayName("Should handle concurrent encryption operations safely")

import java.util.concurrent.atomic.AtomicLong;

import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;

import org.bouncycastle.crypto.engines.AESEngine;
import org.bouncycastle.crypto.modes.AEADBlockCipher;
import org.bouncycastle.crypto.modes.CCMBlockCipher;
import org.bouncycastle.crypto.params.AEADParameters;
import org.bouncycastle.crypto.params.KeyParameter;
import org.slf4j.Logger;