var validSSEReplicationHeaders = map[string]string{
	"X-Minio-Internal-Server-Side-Encryption-Sealed-Key":     "X-Minio-Replication-Server-Side-Encryption-Sealed-Key",
	"X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm": "X-Minio-Replication-Server-Side-Encryption-Seal-Algorithm",
	"X-Minio-Internal-Server-Side-Encryption-Iv":             "X-Minio-Replication-Server-Side-Encryption-Iv",

		}

		if subtle.ConstantTimeCompare(oldKey, newKey) == 1 && sealedKey.Algorithm == crypto.SealAlgorithm {
			return nil // don't rotate on equal keys if seal algorithm is latest
		}
		sealedKey = objectKey.Seal(newKey, sealedKey.IV, crypto.SSEC.String(), bucket, object)
		crypto.SSEC.CreateMetadata(metadata, sealedKey)
		return nil
	default:
		return errObjectTampered
	}
}

- Seal the KMS such that it cannot be accessed by MinIO server anymore. That will lock **all** SSE-S3 encrypted objects protected by master keys stored on the KMS. All these objects can not be decrypted as long as the KMS is sealed.

        if (log.isDebugEnabled()) {
            log.debug("Seal key is " + Hexdump.toHexString(this.sealClientKey));
        }

        this.sealServerKey = deriveKey(mk, S2C_SEAL_CONSTANT);
        this.sealServerHandle = Crypto.getArcfour(this.sealServerKey);

        if (log.isDebugEnabled()) {
            log.debug("Server seal key is " + Hexdump.toHexString(this.sealServerKey));
        }
    }

	if err != nil {
		return
	}

	outbuf := bytes.NewBuffer(nil)
	objectKey := crypto.GenerateKey(key.Plaintext, rand.Reader)
	sealedKey := objectKey.Seal(key.Plaintext, crypto.GenerateIV(rand.Reader), crypto.S3.String(), bucket, "")
	crypto.S3.CreateMetadata(metadata, key.KeyID, key.Ciphertext, sealedKey)

			return
		}

		_, sourceReplReq := r.Header[xhttp.MinIOSourceReplicationRequest]
		ssecRepHeaders := []string{
			"X-Minio-Replication-Server-Side-Encryption-Seal-Algorithm",
			"X-Minio-Replication-Server-Side-Encryption-Sealed-Key",
			"X-Minio-Replication-Server-Side-Encryption-Iv",
		}
		ssecRep := false
		for _, header := range ssecRepHeaders {

					result = healEntryFailure(uint64(version.Size))
					if version.VersionID != "" {
						healingLogIf(ctx, fmt.Errorf("unable to heal object %s/%s (version-id=%s): %w",
							bucket, version.Name, version.VersionID, err))
					} else {
						healingLogIf(ctx, fmt.Errorf("unable to heal object %s/%s: %w",
							bucket, version.Name, err))
					}
				}

				if !send(result) {
					return
				}
			}

	healFinishedStatus                     = "finished"
)

const (
	// a heal sequence with this many un-consumed heal result
	// items blocks until heal-status consumption resumes or is
	// aborted due to timeout.
	maxUnconsumedHealResultItems = 1000

	// if no heal-results are consumed (via the heal-status API)
	// for this timeout duration, the heal sequence is aborted.
	healUnconsumedTimeout = 24 * time.Hour

		tracker = initHealingTracker(disk, mustGetUUID())
	}

	healingLogEvent(ctx, "Healing drive '%s' - 'mc admin heal alias/ --verbose' to check the current status.", endpoint)

	buckets, _ := z.ListBuckets(ctx, BucketOptions{})
	// Buckets data are dispersed in multiple pools/sets, make
	// sure to heal all bucket metadata configuration.
	buckets = append(buckets, BucketInfo{
		Name: pathJoin(minioMetaBucket, minioConfigPrefix),

logo-teal.png...