public static final int SEQUENCE_CHECKING = 0x10;
    /**
     * Context flag for anonymity capability
     */
    public static final int ANONYMITY = 0x08;
    /**
     * Context flag for confidentiality (encryption) capability
     */
    public static final int CONFIDENTIALITY = 0x04;
    /**
     * Context flag for integrity (signing) capability
     */
    public static final int INTEGRITY = 0x02;

	}
	var nonce [32]byte
	if _, err := io.ReadFull(random, nonce[:]); err != nil {
		logger.CriticalIf(context.Background(), errOutOfEntropy)
	}

	const Context = "object-encryption-key generation"
	mac := hmac.New(sha256.New, extKey)
	mac.Write([]byte(Context))
	mac.Write(nonce[:])
	mac.Sum(key[:0])
	return key
}

// GenerateIV generates a new random 256 bit IV from the provided source

package kms

import (
	"bytes"
	"sort"
	"unicode/utf8"
)

// Context is a set of key-value pairs that
// are associated with a generate data encryption
// key (DEK).
//
// A KMS implementation may bind the context to the
// generated DEK such that the same context must be
// provided when decrypting an encrypted DEK.
type Context map[string]string

	// Use the maximum parity (N/2), used when saving server configuration files
	MaxParity bool

	// Provides a per object encryption function, allowing metadata encryption.
	EncryptFn objectMetaEncryptFn

	// SkipDecommissioned set to 'true' if the call requires skipping the pool being decommissioned.
	// mainly set for certain WRITE operations.

			return ErrKeyNotFound
		}
		if errors.Is(err, kes.ErrNotAllowed) {
			return ErrPermission
		}
		return errKeyDeletionFailed(err)
	}
	return nil
}

// GenerateKey generates a new data encryption key using
// the key at the KES server referenced by the key ID.
//
// The default key ID will be used if keyID is empty.
//
// The context is associated and tied to the generated DEK.

        void testShareFlags() throws Exception {
            // Test encryption flag
            setPrivateField(response, "shareFlags", Smb2TreeConnectResponse.SMB2_SHAREFLAG_ENCRYPT_DATA);
            assertEquals(Smb2TreeConnectResponse.SMB2_SHAREFLAG_ENCRYPT_DATA, response.getShareFlags(), "Should handle encryption flag");

            // Test multiple flags

import javax.security.auth.DestroyFailedException;
import javax.security.auth.Destroyable;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Secure key management for SMB encryption.
 * Provides centralized management of encryption keys with secure storage and cleanup.
 *
 * Features:
 * - Secure key storage with optional KeyStore integration
 * - Automatic key cleanup on close
 * - Thread-safe key management

     * Creates a byte array representing a Kerberos ticket for testing purposes.
     * @param version Kerberos version
     * @param realm Server realm
     * @param principalName Server principal name
     * @param encType Encryption type
     * @param encryptedData Encrypted data
     * @param unknownTag Optional unknown tag number to test error handling
     * @return A byte array representing the ticket
     * @throws IOException on encoding error

        assertThrows(SmbException.class, () -> transport.isSigningEnforced());
        verify(transport).isSigningOptional();
        verify(transport).isSigningEnforced();
    }

    // Happy path and edge: server encryption key can be non-null, empty, or null
    @Test
    @DisplayName("getServerEncryptionKey returns expected bytes")
    void serverEncryptionKey_variants() {
        byte[] key = new byte[] { 1, 2, 3 };

mc: The decryption key will ONLY be shown here. It cannot be recovered.
mc: The encrypted file can safely be shared without the decryption key.
mc: Even with the decryption key, data stored with encryption cannot be accessed.
```

This file can be decrypted using the decryption tool below:

### Installing decryption tool

To install, [Go](https://golang.org/dl/) must be installed.