kmsKeyStatusPath = kmsURL + "/key/status"

	// Admin API paths
	// For example: /minio/admin/v3/kms/status
	adminURL              = adminPathPrefix + adminAPIVersionPrefix
	kmsAdminStatusPath    = adminURL + "/kms/status"
	kmsAdminKeyStatusPath = adminURL + "/kms/key/status"
	kmsAdminKeyCreate     = adminURL + "/kms/key/create"
)

const (
	userAccessKey = "miniofakeuseraccesskey"
	userSecretKey = "miniofakeusersecret"
)

# sleep for replication to complete
sleep 30

# Create bucket in source cluster
echo "Create bucket in source MinIO instance"
./mc mb minio1/test-bucket --insecure

# Enable SSE KMS for the bucket
./mc encrypt set sse-kms minio-default-key minio1/test-bucket --insecure

# Load objects to source site
echo "Loading objects to source MinIO instance"
./mc cp /tmp/data/encrypted minio1/test-bucket --insecure

More details about supported KMS implementations and configuration can be found at the [KMS guide](https://github.com/minio/minio/blob/master/docs/kms/README.md).

- All sites must be using the **same** external IDP(s) if any.
- For [SSE-S3 or SSE-KMS encryption via KMS](https://docs.min.io/community/minio-object-store/operations/server-side-encryption.html "MinIO KMS Guide"), all sites **must**  have access to a central KMS deployment. This can be achieved via a central KES server or multiple KES servers (say one per site) connected via a central KMS (Vault) server.

## Configuring Site Replication

| [AWS-KMS + SecretsManager](https://github.com/minio/kes/wiki/AWS-SecretsManager)             | Cloud KMS. MinIO in combination with a managed KMS installation   |
| [Gemalto KeySecure /Thales CipherTrust](https://github.com/minio/kes/wiki/Gemalto-KeySecure) | Local KMS. MinIO and KMS On-Premises.                             |

    "ZoEoZdLlzVbOlT9rbhD7ZN7TLyiYXSAlB79uGEge",
    "ERRO:",
    "(?Rm)^.*(#|//)\\s*spellchecker:disable-line$", # ignore line
]

[default.extend-words]
"encrypter" = "encrypter"
"kms" = "kms"
"requestor" = "requestor"

[default.extend-identifiers]
"HashiCorp" = "HashiCorp"

[type.go.extend-identifiers]
"bui" = "bui"
"dm2nd" = "dm2nd"
"ot" = "ot"
"ParseND" = "ParseND"

false, ModTime: UTCNow(), Size: 3430, Mode: 0x0, Metadata: map[string]string{"X-Minio-Internal-Server-Side-Encryption-Iv": "jIJPsrkkVYYMvc7edBrNl+7zcM7+ZwXqMb/YAjBO/ck=", "X-Minio-Internal-Server-Side-Encryption-S3-Kms-Key-Id": "my-minio-key", "X-Minio-Internal-Server-Side-Encryption-S3-Kms-Sealed-Key": "IAAfAP2p7ZLv3UpLwBnsKkF2mtWba0qoY42tymK0szRgGvAxBNcXyHXYooe9dQpeeEJWgKUa/8R61oCy1mFwIg==", "X-Minio-Internal-Server-Side-Encryption-S3-Sealed-Key": "IAAfAPFYRDkHVirJBJxBixNj3PLWt78dFuUTyTLIdLG820J7...

	"github.com/minio/minio/internal/kms"
	"github.com/minio/pkg/v3/env"
	"github.com/minio/pkg/v3/workers"
)

// keyrotate:
//   apiVersion: v1
//   bucket: BUCKET
//   prefix: PREFIX
//   encryption:
//     type: sse-s3 # valid values are sse-s3 and sse-kms
//     key: <new-kms-key> # valid only for sse-kms
//     context: <new-kms-key-context> # valid only for sse-kms
// # optional flags based filtering criteria

	}

	KMS, err := kms.Connect(GlobalContext, &kms.ConnectionOptions{
		CADir: globalCertsCADir.Get(),
	})
	if err != nil {
		logger.Fatal(err, "Failed to connect to KMS")
	}

	if _, err = KMS.GenerateKey(GlobalContext, &kms.GenerateKeyRequest{}); errors.Is(err, kms.ErrKeyNotFound) {
		err = KMS.CreateKey(GlobalContext, &kms.CreateKeyRequest{Name: KMS.DefaultKey})
	}

	errKMSNotConfigured               = errors.New("KMS not configured for a server side encrypted objects")
	errKMSKeyNotFound                 = errors.New("Unknown KMS key ID")
	errKMSDefaultKeyAlreadyConfigured = errors.New("A default encryption already exists on KMS")
	// Additional MinIO errors for SSE-C requests.