/**
     * Derive encryption key from password using PBKDF2
     */
    private SecretKey deriveKey(char[] password, byte[] salt) throws GeneralSecurityException {
        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(KEY_DERIVATION_ALGORITHM);
        KeySpec keySpec = new PBEKeySpec(password, salt, PBKDF2_ITERATIONS, KEY_SIZE);
        SecretKey tempKey = keyFactory.generateSecret(keySpec);

        if (key != null) {
            return key.clone(); // Return a copy to prevent modification
        }

        // Try to get from SecretKey if available
        SecretKey secretKey = getSessionKey(sessionId);
        if (secretKey != null) {
            return secretKey.getEncoded();
        }

        return null;
    }

    /**
     * Remove and securely wipe a session key
     *

     * @param endpoint the S3 endpoint URL (null for AWS default)
     * @param accessKey the AWS access key
     * @param secretKey the AWS secret key
     * @param bucket the bucket name
     * @param region the AWS region
     */
    public S3StorageClient(final String endpoint, final String accessKey, final String secretKey, final String bucket,
            final String region) {
        this.bucket = bucket;

        }
        final String secretKey = getInitParameter("secretKey", null, String.class);
        if (StringUtil.isBlank(secretKey)) {
            throw new CrawlingAccessException(
                    "Storage secret key is blank. Please set the STORAGE_SECRET_KEY environment variable or secretKey parameter.");
        }
        builder.credentials(accessKey, secretKey);
        try {

        }
        final String secretKey = getInitParameter("secretKey", null, String.class);
        if (StringUtil.isBlank(secretKey)) {
            throw new CrawlingAccessException(
                    "S3 secret key is blank. Please set the S3_SECRET_KEY environment variable or secretKey parameter.");
        }

            try {
                final Builder builder = MinioClient.builder().endpoint(endpoint);
                if (StringUtil.isNotBlank(accessKey) && StringUtil.isNotBlank(secretKey)) {
                    builder.credentials(accessKey, secretKey);
                }
                if (StringUtil.isNotBlank(region)) {
                    builder.region(region);
                }
                minioClient = builder.build();

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.Mac;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.kerberos.KerberosKey;

import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;

        s3Client = container.getComponent("s3Client");
        Map<String, Object> params = new HashMap<>();
        params.put("endpoint", endpoint);
        params.put("accessKey", ACCESS_KEY);
        params.put("secretKey", SECRET_KEY);
        params.put("region", "us-east-1");
        s3Client.setInitParameterMap(params);

        for (int i = 0; i < 10; i++) {
            try {
                setupMinioClient(bucketName, endpoint);

        Map<String, Object> params = new HashMap<>();
        params.put("endpoint", endpoint);
        params.put("accessKey", ACCESS_KEY);
        params.put("secretKey", SECRET_KEY);
        storageClient.setInitParameterMap(params);

        for (int i = 0; i < 10; i++) {
            try {
                setupMinioClient(bucketName, endpoint);
                break;

    }
}
```

## 12. Security Considerations

### 12.1 Handle State Encryption
```java
public class SecureHandleStorage {
    private final SecretKey encryptionKey;
    
    public void saveEncrypted(HandleInfo handle, Path file) throws Exception {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(Cipher.ENCRYPT_MODE, encryptionKey);