case strings.HasSuffix(inputFileName, ".zip"):
		outputFileName = strings.TrimSuffix(inputFileName, ".zip") + ".decrypted.zip"
	case strings.Contains(inputFileName, ".enc."):
		outputFileName = strings.Replace(inputFileName, ".enc.", ".", 1) + ".zip"
	default:
		outputFileName = inputFileName + ".decrypted"
	}

	// Open the input and create the output file
	input, err := os.Open(inputFileName)
	fatalErr(err)

	if _, ok := metadata[MetaSealedKeyS3]; ok {
		return true
	}
	return false
}

// UnsealObjectKey extracts and decrypts the sealed object key
// from the metadata using KMS and returns the decrypted object
// key.
func (s3 sses3) UnsealObjectKey(k *kms.KMS, metadata map[string]string, bucket, object string) (key ObjectKey, err error) {
	if k == nil {
		return key, Errorf("KMS not configured")
	}

		ACB_PWNOEXP                = 0x00000200, /* 1 = User password does not expire */
		ACB_AUTOLOCK               = 0x00000400, /* 1 = Account auto locked */
		ACB_ENC_TXT_PWD_ALLOWED    = 0x00000800, /* 1 = Encryped text password is allowed */
		ACB_SMARTCARD_REQUIRED     = 0x00001000, /* 1 = Smart Card required */
		ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */

		ACB_PWNOEXP                = 0x00000200, /* 1 = User password does not expire */
		ACB_AUTOLOCK               = 0x00000400, /* 1 = Account auto locked */
		ACB_ENC_TXT_PWD_ALLOWED    = 0x00000800, /* 1 = Encryped text password is allowed */
		ACB_SMARTCARD_REQUIRED     = 0x00001000, /* 1 = Smart Card required */
		ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */

- In `kube-apiserver`, custom resources can now be specified in the `--encryption-provider-config` file and can be encrypted in etcd. ([#113015](https://github.com/kubernetes/kubernetes/pull/113015), [@ritazh](https://github.com/ritazh))

		}
		data, err = io.ReadAll(plaintext)
		if err != nil {
			t.Fatalf("Test %d: failed to decrypt stream: %v", i, err)
		}

		if !bytes.Equal(data, test.Data) {
			t.Fatalf("Test %d: decrypted data does not match original data", i)
		}
	}
}

func BenchmarkEncrypt(b *testing.B) {
	key, err := hex.DecodeString("ddedadb867afa3f73bd33c25499a723ed7f9f51172ee7b1b679e08dc795debcc")
	if err != nil {

}

// UnsealObjectKey extracts and decrypts the sealed object key
// from the metadata using the SSE-Copy client key of the HTTP headers
// and returns the decrypted object key.
func (sse ssecCopy) UnsealObjectKey(h http.Header, metadata map[string]string, bucket, object string) (key ObjectKey, err error) {
	clientKey, err := sse.ParseHTTP(h)
	if err != nil {
		return key, err
	}

		"Please check your certificate",
		"",
	)

	ErrTLSNoPassword = newErrFn(
		"Missing TLS password",
		"Please set the password to environment variable `MINIO_CERT_PASSWD` so that the private key can be decrypted",
		"",
	)

	ErrNoCertsAndHTTPSEndpoints = newErrFn(
		"HTTPS specified in endpoints, but no TLS certificate is found on the local machine",
		"Please add TLS certificate or use HTTP endpoints only",

	if _, ok := metadata[MetaSealedKeyKMS]; ok {
		return true
	}
	return false
}

// UnsealObjectKey extracts and decrypts the sealed object key
// from the metadata using KMS and returns the decrypted object
// key.
func (s3 ssekms) UnsealObjectKey(k *kms.KMS, metadata map[string]string, bucket, object string) (key ObjectKey, err error) {
	if k == nil {
		return key, Errorf("KMS not configured")
	}

	arn := madmin.ARN{
		Type:   t.Type,
		ID:     uuid,
		Region: t.Region,
		Bucket: t.TargetBucket,
	}
	return arn.String()
}

// Returns parsed target config. If KMS is configured, remote target is decrypted
func parseBucketTargetConfig(bucket string, cdata, cmetadata []byte) (*madmin.BucketTargets, error) {
	var (
		data []byte
		err  error
		t    madmin.BucketTargets
		meta map[string]string
	)