byte[] encrypted2 = storage.encryptCredentials(plaintext.clone());

        // Should produce different ciphertexts due to random IV
        assertFalse(Arrays.equals(encrypted1, encrypted2), "Different encryptions should produce different ciphertexts");

        // But both should decrypt to same plaintext
        char[] decrypted1 = storage.decryptCredentials(encrypted1);

            // Encrypt
            byte[] ciphertext = cipher.doFinal(plaintextBytes);

            // Combine IV and ciphertext
            byte[] result = new byte[GCM_IV_SIZE + ciphertext.length];
            System.arraycopy(iv, 0, result, 0, GCM_IV_SIZE);
            System.arraycopy(ciphertext, 0, result, GCM_IV_SIZE, ciphertext.length);

            return result;

        } finally {

                // Process AAD (not included in ciphertext)
                cipher.processAADBytes(associatedData, 0, associatedData.length);

                // Process ciphertext + auth tag
                final byte[] input = new byte[ciphertext.length + authTag.length];
                System.arraycopy(ciphertext, 0, input, 0, ciphertext.length);

     * @param clearText the 8-byte plaintext block
     * @param cipherText the output 8-byte ciphertext block
     */
    public void encrypt(final byte[] clearText, final byte[] cipherText) {
        encrypt(clearText, 0, cipherText, 0);
    }

    /// Decrypt a block of bytes.
    /**
     * Decrypts an 8-byte block using DES
     * @param cipherText the 8-byte ciphertext block
     * @param clearText the output 8-byte plaintext block

		return
	}

	// 2. Verify that we can indeed decrypt the (encrypted) key
	decryptedKey, err := GlobalKMS.Decrypt(ctx, &kms.DecryptRequest{
		Name:           key.KeyID,
		Ciphertext:     key.Ciphertext,
		AssociatedData: kmsContext,
	})
	if err != nil {
		response.DecryptionErr = err.Error()
		resp, err := json.Marshal(response)
		if err != nil {

		}
		keyID, kmsKey, sealedKey, err := crypto.S3.ParseMetadata(metadata)
		if err != nil {
			return err
		}
		oldKey, err := GlobalKMS.Decrypt(ctx, &kms.DecryptRequest{
			Name:           keyID,
			Ciphertext:     kmsKey,
			AssociatedData: kms.Context{bucket: path.Join(bucket, object)},
		})
		if err != nil {
			return err
		}
		var objectKey crypto.ObjectKey

	objectKey := crypto.GenerateKey(key.Plaintext, rand.Reader)
	sealedKey := objectKey.Seal(key.Plaintext, crypto.GenerateIV(rand.Reader), crypto.S3.String(), bucket, "")
	crypto.S3.CreateMetadata(metadata, key.KeyID, key.Ciphertext, sealedKey)
	_, err = sio.Encrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20})
	if err != nil {
		return output, metabytes, err
	}
	metabytes, err = json.Marshal(metadata)

                 |                         |                         |
                 |                         |                         |
ciphertext  := sealed_chunk_0   ||       sealed_chunk_1   ||       sealed_chunk_2   ||       ...
```

		return
	}

	// 2. Verify that we can indeed decrypt the (encrypted) key
	decryptedKey, err := GlobalKMS.Decrypt(ctx, &kms.DecryptRequest{
		Name:           key.KeyID,
		Ciphertext:     key.Ciphertext,
		AssociatedData: kmsContext,
	})
	if err != nil {
		response.DecryptionErr = err.Error()
		resp, err := json.Marshal(response)
		if err != nil {