assertNotNull(derivedKey);
        assertEquals(16, derivedKey.length);

        // Test with a different key size
        KerberosKey key256 = new KerberosKey(TEST_PRINCIPAL, new byte[32], PacSignature.ETYPE_AES256_CTS_HMAC_SHA1_96, 0);
        byte[] derivedKey256 = PacMac.deriveKeyAES(key256, constant);
        assertNotNull(derivedKey256);
        assertEquals(32, derivedKey256.length);
    }

    /**

			xhttp.AmzServerSideEncryptionCustomerAlgorithm: "AES256",
			xhttp.AmzServerSideEncryptionCustomerKey:       "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=",
			xhttp.AmzServerSideEncryptionCustomerKeyMD5:    "bY4wkxQejw9mUJfo72k53A==",
		},
		metadata: map[string]string{},
	},
	{
		header: map[string]string{
			xhttp.AmzServerSideEncryptionCustomerAlgorithm: "AES256",

        // Test creating context with AES-256 cipher IDs
        byte[] key256 = new byte[32]; // 256-bit key
        new SecureRandom().nextBytes(key256);

        Smb2EncryptionContext context256CCM =
                new Smb2EncryptionContext(Smb2EncryptionContext.CIPHER_AES_256_CCM, DialectVersion.SMB311, key256, key256);
        assertEquals(Smb2EncryptionContext.CIPHER_AES_256_CCM, context256CCM.getCipherId());

```
read EC key
writing EC key
```

Alternatively, use the following command to generate a private ECDSA key protected by a password:

```sh
openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD
```

#### 3.2.2 Generate a private key with RSA

Use the following command to generate a private key with RSA:

```sh
openssl genrsa -out private.key 2048
```

	{URL: &url.URL{}, Header: http.Header{xhttp.AmzServerSideEncryptionCustomerAlgorithm: []string{"AES256"}}, IsTLS: false, ShouldFail: true}, // 1
	{URL: &url.URL{}, Header: http.Header{xhttp.AmzServerSideEncryptionCustomerAlgorithm: []string{"AES256"}}, IsTLS: true, ShouldFail: false}, // 2

	kexAlgoCurve25519SHA256LibSSH = "******@****.***"
	kexAlgoCurve25519SHA256       = "curve25519-sha256"

	chacha20Poly1305ID = "******@****.***"
	gcm256CipherID     = "aes256******@****.***"
	aes128cbcID        = "aes128-cbc"
	tripledescbcID     = "3des-cbc"
)

var (
	errSFTPPublicKeyBadFormat = errors.New("the public key provided could not be parsed")

// license that can be found in the LICENSE file. package sha3 // New224 returns a new Digest computing the SHA3-224 hash. func New224() *Digest { return &Digest{rate: rateK448, outputLen: 28, dsbyte: dsbyteSHA3} } // New256 returns a new Digest computing the SHA3-256 hash. func New256() *Digest { return &Digest{rate: rateK512, outputLen: 32, dsbyte: dsbyteSHA3} } // New384 returns a new Digest computing the SHA3-384 hash. func New384() *Digest { return &Digest{rate: rateK768, outputLen: 48, dsbyte:...

```

```
mc stat myminio/bucket/test.file
Name      : test.file
...
Encrypted :
  X-Amz-Server-Side-Encryption: AES256
```

## Encrypted Private Key

MinIO supports encrypted KES client private keys. Therefore, you can use
an password-protected private keys for `MINIO_KMS_KES_KEY_FILE`.

func (r *Config) Validate(ctx context.Context, arn arn.ARN, token, accessToken, dsecs string, claims map[string]any) error {
	jp := new(jwtgo.Parser)
	jp.ValidMethods = []string{
		"RS256", "RS384", "RS512",
		"ES256", "ES384", "ES512",
		"HS256", "HS384", "HS512",
		"RS3256", "RS3384", "RS3512",
		"ES3256", "ES3384", "ES3512",
	}

	keyFuncCallback := func(jwtToken *jwtgo.Token) (any, error) {

// license that can be found in the LICENSE file. package sha3 // New224 returns a new Digest computing the SHA3-224 hash. func New224() *Digest { return &Digest{rate: rateK448, outputLen: 28, dsbyte: dsbyteSHA3} } // New256 returns a new Digest computing the SHA3-256 hash. func New256() *Digest { return &Digest{rate: rateK512, outputLen: 32, dsbyte: dsbyteSHA3} } // New384 returns a new Digest computing the SHA3-384 hash. func New384() *Digest { return &Digest{rate: rateK768, outputLen: 48, dsbyte:...