}
			if withData {
				data, err := readConfig(ctx, objAPI, obj.Name)
				if err != nil {
					// ignore history file if not readable.
					continue
				}

				data, err = decryptData(data, obj.Name)
				if err != nil {
					// ignore history file that cannot be loaded.
					continue
				}

				cfgEntry.Data = string(data)
			}
			configHistory = append(configHistory, cfgEntry)
			count--

		success bool
	}{
		{edata1, cred1, true},
		{edata2, cred2, true},
		{data, cred1, false},
	}

	for _, test := range tests {
		t.Run("", func(t *testing.T) {
			ddata, err := madmin.DecryptData(test.cred.String(), bytes.NewReader(test.edata))
			if err != nil && test.success {
				t.Errorf("Expected success, saw failure %v", err)
			}
			if err == nil && !test.success {
				t.Error("Expected failure, saw success")

	ctx := r.Context()

	objAPI, cred := validateAdminReq(ctx, w, r, policy.SetTierAction)
	if objAPI == nil {
		return
	}

	password := cred.SecretKey
	reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
	if err != nil {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminConfigBadJSON, err), r.URL)
		return
	}

	var cfg madmin.TierConfig

		// More than maxConfigSize bytes were available
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigTooLarge), r.URL)
		return
	}

	password := cred.SecretKey
	kvBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
	if err != nil {
		adminLogIf(ctx, err)
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
		return
	}

		})
		if err != nil {
			return err
		}
	}
	return saveKeyEtcd(ctx, ies.client, itemPath, data, opts...)
}

func getIAMConfig(item interface{}, data []byte, itemPath string) error {
	data, err := decryptData(data, itemPath)
	if err != nil {
		return err
	}
	json := jsoniter.ConfigCompatibleWithStandardLibrary
	return json.Unmarshal(data, item)
}

		if err != nil {
			// when config.json is not found, then we freshly initialize.
			if errors.Is(err, errConfigNotFound) {
				return newServerCfg()
			}
			return nil, err
		}

		data, err = decryptData(data, configFile)
		if err != nil {
			return nil, err
		}

		newCfg, err := readServerConfig(GlobalContext, objAPI, data)
		if err == nil {
			return newCfg, nil
		}

	if contentType != "application/octet-stream" {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL)
		return
	}

	password := cred.SecretKey
	reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
	if err != nil {
		adminLogIf(ctx, err)
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
		return
	}

		})
		if err != nil {
			return err
		}
	}
	return saveConfig(ctx, iamOS.objAPI, objPath, data)
}

func decryptData(data []byte, objPath string) ([]byte, error) {
	if utf8.Valid(data) {
		return data, nil
	}

	pdata, err := madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
	if err == nil {
		return pdata, nil
	}
	if GlobalKMS != nil {

		return
	}

	isAttach := operation == "attach"

	// Validate API arguments in body.
	password := cred.SecretKey
	reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
	if err != nil {
		adminLogIf(ctx, err)
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), r.URL)
		return
	}

	data, err := io.ReadAll(body)
	if err != nil {
		return SRError{
			Cause: err,
			Code:  ErrSiteReplicationInvalidRequest,
		}
	}
	if encryptionKey != "" {
		data, err = madmin.DecryptData(encryptionKey, bytes.NewReader(data))
		if err != nil {
			return SRError{
				Cause: err,
				Code:  ErrSiteReplicationInvalidRequest,
			}
		}
	}
	return json.Unmarshal(data, v)
}