xhttp.AmzServerSideEncryptionCustomerAlgorithm: "AES256",
			xhttp.AmzServerSideEncryptionCustomerKey:       "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=",
			xhttp.AmzServerSideEncryptionCustomerKeyMD5:    "bY4wkxQejw9mUJfo72k53A==",
		},
		metadata: map[string]string{},
	},
	{
		header: map[string]string{
			xhttp.AmzServerSideEncryptionCustomerAlgorithm: "AES256",

                                  ExtraArgs={'ServerSideEncryption': 'AES256'})

# Upload with server side encryption, using temporary credentials
s3.meta.client.upload_file('/etc/hosts',
                           'testbucket',
                           'hosts',
                           ExtraArgs={'ServerSideEncryption': 'AES256'})

# Download encrypted object using temporary credentials

```
read EC key
writing EC key
```

Alternatively, use the following command to generate a private ECDSA key protected by a password:

```sh
openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD
```

#### 3.2.2 Generate a private key with RSA

Use the following command to generate a private key with RSA:

```sh
openssl genrsa -out private.key 2048
```

	{URL: &url.URL{}, Header: http.Header{xhttp.AmzServerSideEncryptionCustomerAlgorithm: []string{"AES256"}}, IsTLS: false, ShouldFail: true}, // 1
	{URL: &url.URL{}, Header: http.Header{xhttp.AmzServerSideEncryptionCustomerAlgorithm: []string{"AES256"}}, IsTLS: true, ShouldFail: false}, // 2

```

`--sftp=cipher-algos=...` specifies the allowed cipher algorithms. 
If unspecified then a sensible default is used.

Valid values: 
```
aes128-ctr
aes192-ctr
aes256-ctr
******@****.***
aes256******@****.***
******@****.***
arcfour256
arcfour128
arcfour
aes128-cbc
3des-cbc
```

	kexAlgoCurve25519SHA256LibSSH = "******@****.***"
	kexAlgoCurve25519SHA256       = "curve25519-sha256"

	chacha20Poly1305ID = "******@****.***"
	gcm256CipherID     = "aes256******@****.***"
	aes128cbcID        = "aes128-cbc"
	tripledescbcID     = "3des-cbc"
)

var (
	errSFTPPublicKeyBadFormat = errors.New("the public key provided could not be parsed")

		shouldPass  bool
	}{
		// MinIO supported XML
		{
			inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
			<Rule>
			<ApplyServerSideEncryptionByDefault>
			<SSEAlgorithm>AES256</SSEAlgorithm>
			</ApplyServerSideEncryptionByDefault>
			</Rule>
			</ServerSideEncryptionConfiguration>`,
			expectedErr: nil,
			shouldPass:  true,
		},
		// Unsupported XML
		{

        // Test AES128
        byte[] mac2 = PacMac.calculateMac(PacSignature.HMAC_SHA1_96_AES128, keys, TEST_DATA);
        assertNotNull(mac2);
        assertEquals(12, mac2.length);

        // Test AES256
        byte[] mac3 = PacMac.calculateMac(PacSignature.HMAC_SHA1_96_AES256, keys, TEST_DATA);
        assertNotNull(mac3);
        assertEquals(12, mac3.length);
    }

    /**

```

```
mc stat myminio/bucket/test.file
Name      : test.file
...
Encrypted :
  X-Amz-Server-Side-Encryption: AES256
```

## Encrypted Private Key

MinIO supports encrypted KES client private keys. Therefore, you can use
an password-protected private keys for `MINIO_KMS_KES_KEY_FILE`.

)

const (
	// SSECustomerKeySize is the size of valid client provided encryption keys in bytes.
	// Currently AWS supports only AES256. So the SSE-C key size is fixed to 32 bytes.
	SSECustomerKeySize = 32

	// SSEIVSize is the size of the IV data
	SSEIVSize = 32 // 32 bytes

	// SSEDAREPackageBlockSize - SSE dare package block size.