return nil
}

type Token struct {
	UserID  int    `gorm:"primary_key"`
	Content string `gorm:"type:varchar(100)"`
}

func (t *Token) BeforeSave(tx *gorm.DB) error {
	t.Content += "_encrypted"
	return nil
}

func TestSaveWithHooks(t *testing.T) {
	DB.Migrator().DropTable(&Token{}, &TokenOwner{})
	DB.AutoMigrate(&Token{}, &TokenOwner{})

	if len(data) == 0 {
		return nil
	}
	if part > 0 && !crypto.SSEC.IsEncrypted(o.UserDefined) {
		// already decrypted in ToObjectInfo for multipart objects
		for _, pi := range o.Parts {
			if pi.Number == part {
				return pi.Checksums
			}
		}
	}
	if _, encrypted := crypto.IsEncrypted(o.UserDefined); encrypted {
		decrypted, err := o.metadataDecrypter(h)("object-checksum", data)
		if err != nil {

	}
	return hex.EncodeToString(e)
}

// IsEncrypted reports whether the ETag is encrypted.
func (e ETag) IsEncrypted() bool {
	// An encrypted ETag must be at least 32 bytes long.
	// It contains the encrypted ETag value + an authentication
	// code generated by the AEAD cipher.
	//
	// Here is an incorrect implementation of IsEncrypted:
	//
	//   return len(e) > 16 && !bytes.ContainsRune(e, '-')
	//

    * The contents are **encrypted**, even though they are being sent with the **HTTP protocol**.

	for i, test := range decryptObjectMetaTests {
		if encrypted, err := DecryptObjectInfo(&test.info, test.request); err != test.expErr {
			t.Errorf("Test %d: Decryption returned wrong error code: got %d , want %d", i, err, test.expErr)
		} else if _, enc := crypto.IsEncrypted(test.info.UserDefined); encrypted && enc != encrypted {
			t.Errorf("Test %d: Decryption thinks object is encrypted but it is not", i)
		} else if !encrypted && enc != encrypted {

		return true
	}
	if _, ok := h[xhttp.AmzServerSideEncryptionCustomerKeyMD5]; ok {
		return true
	}
	return false
}

// IsEncrypted returns true if the metadata contains an SSE-C
// entry indicating that the object has been encrypted using
// SSE-C.
func (ssec) IsEncrypted(metadata map[string]string) bool {
	if _, ok := metadata[MetaSealedKeySSEC]; ok {
		return true
	}
	return false
}

//
// IsEncrypted only checks whether the metadata contains at least
// one entry indicating SSE-C or SSE-S3.
func IsEncrypted(metadata map[string]string) (Type, bool) {
	if S3KMS.IsEncrypted(metadata) {
		return S3KMS, true
	}
	if S3.IsEncrypted(metadata) {
		return S3, true
	}
	if SSEC.IsEncrypted(metadata) {
		return SSEC, true
	}
	if IsMultiPart(metadata) {
		return nil, true
	}

	exit 1
fi

got_checksum=$(./mc cat myminio/versioned/dsync/drwmutex.go | md5sum)
if [ "${expected_checksum}" != "${got_checksum}" ]; then
	echo "BUG: decommission failed on encrypted objects: expected ${expected_checksum} got ${got_checksum}"
	exit 1
fi

./s3-check-md5 -versions -access-key minioadmin -secret-key minioadmin -endpoint http://127.0.0.1:9001/ -bucket versioned

func TestIsEncrypted(t *testing.T) {
	for i, test := range isEncryptedTests {
		if _, isEncrypted := IsEncrypted(test.Metadata); isEncrypted != test.Encrypted {
			t.Errorf("Test %d: got '%v' - want '%v'", i, isEncrypted, test.Encrypted)
		}
	}
}

var s3IsEncryptedTests = []struct {
	Metadata  map[string]string
	Encrypted bool
}{
	{Encrypted: false, Metadata: map[string]string{MetaMultipart: ""}},                             // 0

- Delete one/some master keys. From a security standpoint, this is equal to erasing all SSE-S3 encrypted objects protected by these master keys. All these objects are lost forever as they cannot be decrypted. Especially deleting all master keys at the KMS is equivalent to secure erasing all SSE-S3 encrypted objects.