// Store session key and preauth hash for key rotation
    private byte[] sessionKey;
    private byte[] preauthIntegrityHash;
    private int rotationCount = 0;

    // Key rotation tracking - use atomic for lock-free operations
    private final AtomicLong bytesEncrypted = new AtomicLong(0);
    private long encryptionStartTime = System.currentTimeMillis();

    // Configurable key rotation limits with defaults

        assertNotNull(encrypted2);

        // Verify rotation occurred by checking metrics
        assertTrue(context.getKeyRotationCount() > 0, "Key rotation should have occurred");

        // Can still encrypt after rotation
        byte[] plaintext3 = "Message after rotation".getBytes();
        byte[] encrypted3 = assertDoesNotThrow(() -> context.encryptMessage(plaintext3, 3L));

                Thread t = new Thread(r, "SecureKeyManager-Rotation");
                t.setDaemon(true);
                return t;
            });
    private java.util.concurrent.ScheduledFuture<?> rotationTask;

    /**
     * Configure key rotation interval
     *
     * @param intervalMillis rotation interval in milliseconds
     */
    public void configureKeyRotation(long intervalMillis) {

    }

    @Test
    public void testMultipleKeyRotations() throws GeneralSecurityException {
        String sessionId = "multi-rotation";
        keyManager.storeSessionKey(sessionId, testKey, "AES");

        // Perform multiple rotations
        for (int i = 1; i <= 5; i++) {
            int version = keyManager.rotateSessionKey(sessionId);
            assertEquals(i, version, "Version should be " + i);

//go:generate msgp -file $GOFILE -unexported

// BatchKeyRotationType defines key rotation type
type BatchKeyRotationType string

const (
	sses3  BatchKeyRotationType = "sse-s3"
	ssekms BatchKeyRotationType = "sse-kms"
)

// BatchJobKeyRotateEncryption defines key rotation encryption options passed
type BatchJobKeyRotateEncryption struct {
	Type       BatchKeyRotationType `yaml:"type" json:"type"`

            final byte[] decryptionKey = Smb3KeyDerivation.deriveDecryptionKey(dialectInt, sessionKey, preauthHash);

            // Pass session key and preauthHash to enable automatic key rotation
            return new Smb2EncryptionContext(cipherId, dialect, encryptionKey, decryptionKey, sessionKey, preauthHash);
        } catch (final Exception e) {

)

var (
	// AWS errors for invalid SSE-C requests.
	errEncryptedObject                = errors.New("The object was stored using a form of SSE")
	errInvalidSSEParameters           = errors.New("The SSE-C key for key-rotation is not correct") // special access denied
	errKMSNotConfigured               = errors.New("KMS not configured for a server side encrypted objects")
	errKMSKeyNotFound                 = errors.New("Unknown KMS key ID")

	// - the object is encrypted using SSE-S3 and the SSE-S3 header is present
	// - the object storage class is not changing
	// then execute a key rotation.
	if cpSrcDstSame && (sseCopyC && sseC) && !chStorageClass {
		oldKey, err = ParseSSECopyCustomerRequest(r.Header, srcInfo.UserDefined)
		if err != nil {
			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)

 
## Changes by Kind

### Deprecation

- 'kubeadm: marked the sub-phase of ''init kubelet-finilize'' called ''experimental-cert-rotation''
  as deprecated and print a warning if it is used directly; it will be removed in
  a future release. Add a replacement sub-phase ''enable-client-cert-rotation''.' ([#124419](https://github.com/kubernetes/kubernetes/pull/124419), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]

- kubeadm: removed the deprecated sub-phase of 'init kubelet-finilize' called `experimental-cert-rotation`, and use 'enable-client-cert-rotation' instead. ([#126913](https://github.com/kubernetes/kubernetes/pull/126913), [@pacoxu](https://github.com/pacoxu)) [SIG Cluster Lifecycle]