assertNotNull(decrypted);
        assertArrayEquals(plaintext, decrypted);
        assertNotEquals(new String(plaintext), new String(encrypted));
    }

    @Test
    @DisplayName("Should perform DES encryption/decryption")
    void testDES() throws Exception {
        // Given
        byte[] key = "testkey1".getBytes(); // 8 bytes for DES
        byte[] plaintext = "12345678".getBytes(); // 8 bytes (DES block size)

        // Test with very long password
        char[] plaintext = new char[10000];
        Arrays.fill(plaintext, 'X');

        byte[] encrypted = storage.encryptCredentials(plaintext);
        assertNotNull(encrypted, "Encrypted long password should not be null");
        assertTrue(encrypted.length > plaintext.length, "Encrypted data should be larger due to IV and auth tag");

		t.Fatalf("Failed to generate key: %v", err)
	}
	plaintext, err := KMS.Decrypt(t.Context(), &DecryptRequest{
		Name:       key.KeyID,
		Ciphertext: key.Ciphertext,
	})
	if err != nil {
		t.Fatalf("Failed to decrypt key: %v", err)
	}
	if !bytes.Equal(key.Plaintext, plaintext) {
		t.Fatalf("Decrypted key does not match generated one: got %x - want %x", key.Plaintext, plaintext)
	}
}

func TestDecryptKey(t *testing.T) {

        // Verify transform header is present (first 52 bytes)
        assertTrue(encrypted.length >= 52, "Encrypted message should include transform header");

        // When - Decrypt
        byte[] decrypted = context.decryptMessage(encrypted);

        // Then - Verify decryption

		var (
			data      = make([]byte, size)
			plaintext = bytes.NewReader(data)
			context   = kms.Context{"key": "value"}
		)
		b.SetBytes(int64(size))
		for b.Loop() {
			ciphertext, err := Encrypt(KMS, plaintext, context)
			if err != nil {
				b.Fatal(err)
			}
			if _, err = io.Copy(io.Discard, ciphertext); err != nil {
				b.Fatal(err)
			}
			plaintext.Reset(data)
		}
	}

    }

    public byte[] encryptCredentials(char[] plaintext) throws GeneralSecurityException {
        checkNotDestroyed();

        if (plaintext == null) {
            return null;
        }

        // Convert char[] to byte[] for encryption
        byte[] plaintextBytes = charsToBytes(plaintext);

        try {
            // Generate random IV

	"github.com/secure-io/sio-go/sioutil"
)

// EncryptBytes encrypts the plaintext with a key managed by KMS.
// The context is bound to the returned ciphertext.
//
// The same context must be provided when decrypting the
// ciphertext.
func EncryptBytes(k *kms.KMS, plaintext []byte, context kms.Context) ([]byte, error) {
	ciphertext, err := Encrypt(k, bytes.NewReader(plaintext), context)
	if err != nil {
		return nil, err
	}

var decryptTests = []struct {
	Key       []byte
	ETag      ETag
	Plaintext ETag
}{
	{ // 0
		Key:       make([]byte, 32),
		ETag:      must("3b83ef96387f14655fc854ddc3c6bd57"),
		Plaintext: must("3b83ef96387f14655fc854ddc3c6bd57"),
	},
	{ // 1
		Key:       make([]byte, 32),
		ETag:      must("7b976cc68452e003eec7cb0eb631a19a-1"),
		Plaintext: must("7b976cc68452e003eec7cb0eb631a19a-1"),
	},
	{ // 2

	})
}

// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
// The plaintext must not exceed 1 MB
func (c *kesConn) EncryptKey(keyID string, plaintext []byte, ctx Context) ([]byte, error) {
	ctxBytes, err := ctx.MarshalText()
	if err != nil {
		return nil, err
	}
	return c.client.Encrypt(context.Background(), keyID, plaintext, ctxBytes)
}

	if err != nil {
		return DEK{}, err
	}

	plaintext, err := sioutil.Random(32)
	if err != nil {
		return DEK{}, err
	}
	ciphertext := aead.Seal(nil, nonce, plaintext, associatedData)
	ciphertext = append(ciphertext, random...)
	return DEK{
		KeyID:      req.Name,
		Version:    0,
		Plaintext:  plaintext,
		Ciphertext: ciphertext,
	}, nil
}