// used to generate the ciphertext.
	DecryptKey(keyID string, ciphertext []byte, context Context) ([]byte, error)

	// DecryptAll decrypts all ciphertexts with the key referenced
	// by the key ID. The contexts must match the context value
	// used to generate the ciphertexts.
	DecryptAll(ctx context.Context, keyID string, ciphertext [][]byte, context []Context) ([][]byte, error)

	}
	if sameKeyID {
		contexts := make([]kms.Context, 0, len(keyIDs))
		for i := range buckets {
			contexts = append(contexts, kms.Context{buckets[i]: path.Join(buckets[i], objects[i])})
		}
		unsealKeys, err := k.DecryptAll(ctx, keyIDs[0], kmsKeys, contexts)
		if err != nil {
			return nil, err
		}
		keys := make([]ObjectKey, len(unsealKeys))
		for i := range keys {

			HTTPStatusCode: http.StatusBadRequest,
			APICode:        "KMS.InternalException",
			Err:            fmt.Errorf("encrypted key is not authentic"),
		}
	}
	return plaintext, nil
}

func (kms secretKey) DecryptAll(_ context.Context, keyID string, ciphertexts [][]byte, contexts []Context) ([][]byte, error) {
	plaintexts := make([][]byte, 0, len(ciphertexts))
	for i := range ciphertexts {

	defer c.lock.RUnlock()

	ctxBytes, err := ctx.MarshalText()
	if err != nil {
		return nil, err
	}
	return c.client.Decrypt(context.Background(), keyID, ciphertext, ctxBytes)
}

func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts [][]byte, contexts []Context) ([][]byte, error) {
	c.lock.RLock()
	defer c.lock.RUnlock()

	plaintexts := make([][]byte, 0, len(ciphertexts))
	for i := range ciphertexts {