tests := map[string]struct {
		encryptKey       []byte
		decryptKey       []byte
		data             []byte
		expectDecryptErr bool
	}{
		"can decrypt using the correct key": {
			encryptKey:       key1,
			decryptKey:       key1,
			data:             testData,
			expectDecryptErr: false,
		},
		"can't decrypt using incorrect key": {
			encryptKey:       key1,
			decryptKey:       key2,
			data:             testData,

	// The same context must be provided when the generated key
	// should be decrypted. Therefore, it is the callers
	// responsibility to remember the corresponding context for
	// a particular DEK. The context may be nil.
	GenerateKey(context.Context, *GenerateKeyRequest) (DEK, error)

	// DecryptKey decrypts the ciphertext with the key referenced
	// by the key ID. The context must match the context value

	ctxBytes, err := ctx.MarshalText()
	if err != nil {
		return nil, err
	}
	return c.client.Encrypt(context.Background(), keyID, plaintext, ctxBytes)
}

// DecryptKey decrypts the ciphertext with the key at the KES
// server referenced by the key ID. The context must match the
// context value used to generate the ciphertext.

- Seal/Unmount one/some master keys. That will lock all SSE-S3 encrypted objects protected by these master keys. All these objects can not be decrypted as long as the key(s) are sealed.

/**
 * Collects the output of the settings decrypter.
 *
 */
public interface SettingsDecryptionResult {

    /**
     * Gets the decrypted server. This is a convenience method to retrieve the first element from {@link #getServers()}.
     *
     * @return The decrypted server or {@code null}.
     */
    Server getServer();

    /**
     * Gets the decrypted servers.
     *

	if err != nil {
		return
	}

	// At this point, we have:
	//
	// 1. the decrypted part sizes in `sizes` (single element for
	//    single part object) and total decrypted object size `decObjSize`
	//
	// 2. the (decrypted) start offset `off` and (decrypted)
	//    length to read `length`
	//
	// These are the inputs to the rest of the algorithm below.

 *
 */
public interface SettingsDecryptionRequest {

    /**
     * Gets the servers whose passwords should be decrypted.
     *
     * @return The servers to decrypt, never {@code null}.
     */
    List<Server> getServers();

    /**
     * Sets the servers whose passwords should be decrypted.
     *
     * @param servers The servers to decrypt, may be {@code null}.
     * @return This request, never {@code null}.

}

// newCBCGenericDecrypter returns a BlockMode which encrypts in cipher block chaining
// mode, using the given Block. The length of iv must be the same as the
// Block's block size. This always returns the generic non-asm decrypter for use in
// fuzz testing.
func newCBCGenericDecrypter(b Block, iv []byte) BlockMode {
	if len(iv) != b.BlockSize() {
		panic("cipher.NewCBCDecrypter: IV length must equal block size")
	}

        } finally {
            offerDecryptoCipher(cipher);
        }
        return decrypted;
    }

    public byte[] decrypto(final byte[] data, final Key key) {
        final Cipher cipher = pollDecryptoCipher(key);
        byte[] decrypted;
        try {
            decrypted = cipher.doFinal(data);
        } catch (final IllegalBlockSizeException e) {

	case strings.HasSuffix(inputFileName, ".zip"):
		outputFileName = strings.TrimSuffix(inputFileName, ".zip") + ".decrypted.zip"
	case strings.Contains(inputFileName, ".enc."):
		outputFileName = strings.Replace(inputFileName, ".enc.", ".", 1) + ".zip"
	default:
		outputFileName = inputFileName + ".decrypted"
	}

	// Backup any already existing output file
	_, err := os.Stat(outputFileName)
	if err == nil {