if len(data) == 0 {
		return nil
	}
	if part > 0 && !crypto.SSEC.IsEncrypted(o.UserDefined) {
		// already decrypted in ToObjectInfo for multipart objects
		for _, pi := range o.Parts {
			if pi.Number == part {
				return pi.Checksums
			}
		}
	}
	if _, encrypted := crypto.IsEncrypted(o.UserDefined); encrypted {
		decrypted, err := o.metadataDecrypter(h)("object-checksum", data)
		if err != nil {

	}

	pReader := NewPutObjReader(hashReader)

	_, isEncrypted := crypto.IsEncrypted(mi.UserDefined)
	_, replicationStatus := mi.UserDefined[xhttp.AmzBucketReplicationStatus]
	_, sourceReplReq := r.Header[xhttp.MinIOSourceReplicationRequest]
	var objectEncryptionKey crypto.ObjectKey
	if isEncrypted {
		if !crypto.SSEC.IsRequested(r.Header) && crypto.SSEC.IsEncrypted(mi.UserDefined) && !replicationStatus {

			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
			return
		}
	}

	origETag := objInfo.ETag
	if kind, encrypted := crypto.IsEncrypted(objInfo.UserDefined); encrypted {
		switch kind {
		case crypto.S3:
			w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)

	exit_1
fi

# Stat the SSEC objects from source site
echo "Stat minio1/test-bucket/encrypted"
./mc stat --no-list minio1/test-bucket/encrypted --enc-c "minio1/test-bucket/encrypted=${TEST_MINIO_ENC_KEY}" --insecure --json
stat_out1=$(./mc stat --no-list minio1/test-bucket/encrypted --enc-c "minio1/test-bucket/encrypted=${TEST_MINIO_ENC_KEY}" --insecure --json)
src_obj1_etag=$(echo "${stat_out1}" | jq '.etag')

		return nil
	}
	sseKMS := crypto.S3KMS.IsEncrypted(objInfo.UserDefined)
	sseS3 := crypto.S3.IsEncrypted(objInfo.UserDefined)
	if !sseKMS && !sseS3 { // neither sse-s3 nor sse-kms disallowed
		return errInvalidEncryptionParameters
	}
	if sseKMS && r.Encryption.Type == sses3 { // previously encrypted with sse-kms, now sse-s3 disallowed
		return errInvalidEncryptionParameters
	}

	exit_1
fi

# Stat the SSEC objects from source site
echo "Stat minio1/test-bucket/encrypted"
./mc stat --no-list minio1/test-bucket/encrypted --enc-c "minio1/test-bucket/encrypted=${TEST_MINIO_ENC_KEY}" --insecure --json
stat_out1=$(./mc stat --no-list minio1/test-bucket/encrypted --enc-c "minio1/test-bucket/encrypted=${TEST_MINIO_ENC_KEY}" --insecure --json)
src_obj1_etag=$(echo "${stat_out1}" | jq '.etag')

	echo "BUG: object test-bucket/custpartsize not replicated"
	exit_1
fi

# Stat the objects from source site
echo "Stat minio1/test-bucket/encrypted"
./mc stat --no-list minio1/test-bucket/encrypted --insecure --json
stat_out1=$(./mc stat --no-list minio1/test-bucket/encrypted --insecure --json)
src_obj1_algo=$(echo "${stat_out1}" | jq '.metadata."X-Amz-Server-Side-Encryption"')

                try {
                    if (securityDispatcher.isLegacyEncryptedString(password)) {
                        problems.add(new DefaultSettingsProblem(
                                "Legacy/insecurely encrypted password detected for server " + server.getId(),
                                Severity.WARNING,
                                "server: " + server.getId(),
                                -1,

        String encrypted = context.reader.readLine("Enter the password to decrypt: ");
        if (secDispatcher.isAnyEncryptedString(encrypted)) {
            context.terminal.writer().println(secDispatcher.decrypt(encrypted));
            return OK;
        } else {
            context.terminal.writer().println(messageBuilderFactory.builder().error("Malformed encrypted string"));
            return BAD_OPERATION;

public interface SettingsDecryptionResult {

    /**
     * Gets the decrypted server. This is a convenience method to retrieve the first element from {@link #getServers()}.
     *
     * @return The decrypted server or {@code null}.
     */
    Server getServer();

    /**
     * Gets the decrypted servers.
     *
     * @return The decrypted server, can be empty but never {@code null}.
     */
    List<Server> getServers();