byte[] encrypted2 = storage.encryptCredentials(plaintext.clone());

        // Should produce different ciphertexts due to random IV
        assertFalse(Arrays.equals(encrypted1, encrypted2), "Different encryptions should produce different ciphertexts");

        // But both should decrypt to same plaintext
        char[] decrypted1 = storage.decryptCredentials(encrypted1);

        new SecureRandom().nextBytes(testDecryptionKey);

        // Create encryption context with required parameters
        encryptionContext = new Smb2EncryptionContext(1, DialectVersion.SMB311, testEncryptionKey, testDecryptionKey);
    }

    @Test
    @DisplayName("Should create encryption context with valid parameters")
    void testConstructor() {
        // When

    /**
     * Sets the DES encryption key
     * @param key the 8-byte DES key
     */
    public void setKey(final byte[] key) {

        // CHECK PAROTY TBD
        deskey(key, true, encryptKeys);
        deskey(key, false, decryptKeys);
    }

    // Turn an 8-byte key into internal keys.
    private void deskey(final byte[] keyBlock, final boolean encrypting, final int[] KnL) {

 * <li>Configurable encryption algorithms (default: Blowfish)</li>
 * <li>Proper charset handling for key generation (UTF-8 by default)</li>
 * <li>Base64 encoding for text operations</li>
 * </ul>
 * <p>
 * <strong>Security Considerations:</strong>
 * </p>
 * <ul>
 * <li>Default Blowfish algorithm is suitable for general-purpose encryption</li>

    /**
     * AES-128-CCM cipher identifier for SMB3 encryption
     */
    public static final int CIPHER_AES_128_CCM = EncryptionNegotiateContext.CIPHER_AES128_CCM;
    /**
     * AES-128-GCM cipher identifier for SMB3.1.1 encryption
     */
    public static final int CIPHER_AES_128_GCM = EncryptionNegotiateContext.CIPHER_AES128_GCM;
    /**
     * AES-256-CCM cipher identifier for SMB3 encryption (future support)
     */

        // Then
        assertNotNull(encKey, "Encryption key should not be null");
        assertEquals(16, encKey.length, "Encryption key should be 16 bytes");
        assertFalse(Arrays.equals(sessionKey, encKey), "Encryption key should be different from session key");
    }

    @Test
    @DisplayName("Should derive different encryption keys for different dialects")

    @CsvSource({ "true, true, SMB311, 2", // DFS + Encryption
            "false, true, SMB311, 1", // Encryption only
            "true, false, SMB311, 1", // DFS only
            "false, false, SMB311, 0", // Neither
            "true, true, SMB210, 1", // DFS only (no encryption for SMB2)
            "false, true, SMB210, 0" // Neither (no encryption for SMB2)
    })

            EncryptionNegotiateContext encryption = new EncryptionNegotiateContext();

            assertNotEquals(preauth.getContextType(), encryption.getContextType());
            assertEquals(0x1, preauth.getContextType());
            assertEquals(0x2, encryption.getContextType());
        }

        @Test

import javax.security.auth.Destroyable;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Secure credential storage with encryption at rest.
 *
 * Provides secure storage of passwords and other sensitive credentials
 * using AES-GCM encryption with PBKDF2 key derivation.
 *
 * Features:
 * - Encrypts credentials at rest using AES-256-GCM
 * - Uses PBKDF2 for key derivation from master password

        assertFalse(session.isConnected());
        assertTrue(session.isFailed());
    }

    @Test
    @DisplayName("encryption: flags, encryption, and decryption delegation")
    void testEncryptionDelegation() throws Exception {
        SmbSessionImpl session = newSession();

        // No encryption context -> throws
        CIFSException notEnabled = assertThrows(CIFSException.class, () -> session.encryptMessage(new byte[] { 1 }));