// at an untrusted location.
type SealedKey struct {
	Key       [64]byte // The encrypted and authenticated object-key.
	IV        [32]byte // The random IV used to encrypt the object-key.
	Algorithm string   // The sealing algorithm used to encrypt the object key.
}

// Seal encrypts the ObjectKey using the 256 bit external key and IV. The sealed
// key is also cryptographically bound to the object's path (bucket/object) and the

//
// ## SSE-C
//
// SSE-C computes the key-encryption-key from the client-provided key, an
// initialization vector (IV) and the bucket/object path.
//
//  1. Encrypt:
//     Input: ClientKey, bucket, object, metadata, object_data
//     -              IV := Random({0,1}²⁵⁶)
//     -       ObjectKey := SHA256(ClientKey || Random({0,1}²⁵⁶))

	plaintext, err := Decrypt(k, bytes.NewReader(ciphertext), context)
	if err != nil {
		return nil, err
	}
	return io.ReadAll(plaintext)
}

// Encrypt encrypts the plaintext with a key managed by KMS.
// The context is bound to the returned ciphertext.
//
// The same context must be provided when decrypting the
// ciphertext.

		metadata:       nil,
		encryptionType: encrypt.S3,
		err:            nil,
	}, // 3
	{
		headers:    http.Header{},
		copySource: false,
		metadata: map[string]string{
			crypto.MetaSealedKeyS3:       base64.StdEncoding.EncodeToString(make([]byte, 64)),
			crypto.MetaKeyID:             "kms-key",
			crypto.MetaDataEncryptionKey: "m-key",
		},
		encryptionType: encrypt.S3,
		err:            nil,
	}, // 4
	{

	return
}

// EncryptSinglePart encrypts an io.Reader which must be the
// body of a single-part PUT request.
func EncryptSinglePart(r io.Reader, key ObjectKey) io.Reader {
	r, err := sio.EncryptReader(r, sio.Config{MinVersion: sio.Version20, Key: key[:], CipherSuites: fips.DARECiphers()})
	if err != nil {
		logger.CriticalIf(context.Background(), errors.New("Unable to encrypt io.Reader using object key"))
	}
	return r
}

	}

	for i, test := range encryptDecryptTests {
		ciphertext, err := Encrypt(KMS, bytes.NewReader(test.Data), test.Context)
		if err != nil {
			t.Fatalf("Test %d: failed to encrypt stream: %v", i, err)
		}
		data, err := io.ReadAll(ciphertext)
		if err != nil {
			t.Fatalf("Test %d: failed to encrypt stream: %v", i, err)
		}

		plaintext, err := Decrypt(KMS, bytes.NewReader(data), test.Context)
		if err != nil {

		}
		var buffer bytes.Buffer
		mac := hmac.New(sha256.New, key[:])
		mac.Write([]byte(baseKey))
		if _, err := sio.Encrypt(&buffer, bytes.NewReader(data), sio.Config{Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()}); err != nil {
			logger.CriticalIf(context.Background(), errors.New("unable to encrypt using object key"))
		}
		return buffer.Bytes()
	}
}

// metadataDecrypter reverses metadataEncrypter.

	Verify(cxt context.Context) []VerifyResult
}

// VerifyResult describes the verification result details a KMS endpoint
type VerifyResult struct {
	Endpoint string
	Decrypt  string
	Encrypt  string
	Version  string
	Status   string
}

// Status describes the current state of a KMS.
type Status struct {
	Name      string   // The name of the KMS

// from a single key.
type secretKey struct {
	keyID string
	key   []byte
}

var _ KMS = secretKey{} // compiler check

const ( // algorithms used to derive and encrypt DEKs
	algorithmAESGCM           = "AES-256-GCM-HMAC-SHA-256"
	algorithmChaCha20Poly1305 = "ChaCha20Poly1305"
)

func (kms secretKey) Stat(context.Context) (Status, error) {
	return Status{
		Name:       "SecretKey",

	}
}

func enableCompression(t *testing.T, encrypt bool) {
	// Enable compression and exec...
	globalCompressConfigMu.Lock()
	globalCompressConfig.Enabled = true
	globalCompressConfig.MimeTypes = nil
	globalCompressConfig.Extensions = nil
	globalCompressConfig.AllowEncrypted = encrypt
	globalCompressConfigMu.Unlock()
	if encrypt {
		globalAutoEncryption = encrypt
		var err error