}

    /**
     * Test that encryption is properly configured
     */
    @Test
    public void testEncryptionConfiguration() throws CIFSException {
        BaseConfiguration config = new BaseConfiguration(true);

        // Verify encryption configuration is available (default is false for compatibility)
        // But can be enabled when needed

     */
    protected String transformation = RSA;

    /**
     * The key to use for encryption/decryption.
     */
    protected String key;

    /**
     * The character set name to use for encoding/decoding strings.
     */
    protected String charsetName = CoreLibConstants.UTF_8;

    /**
     * The queue of ciphers for encryption.
     */
    protected Queue<Cipher> encryptoQueue = new ConcurrentLinkedQueue<>();

```
export MINIO_KMS_AUTO_ENCRYPTION=on
```

### Verify auto-encryption

> Note that auto-encryption only affects requests without S3 encryption headers. So, if a S3 client sends
> e.g. SSE-C headers, MinIO will encrypt the object with the key sent by the client and won't reach out to
> the configured KMS.

To verify auto-encryption, use the following `mc` command:

```
mc cp test.file myminio/bucket/

    @CsvSource({ "true, true, SMB311, 2", // DFS + Encryption
            "false, true, SMB311, 1", // Encryption only
            "true, false, SMB311, 1", // DFS only
            "false, false, SMB311, 0", // Neither
            "true, true, SMB210, 1", // DFS only (no encryption for SMB2)
            "false, true, SMB210, 0" // Neither (no encryption for SMB2)
    })

    /**
     * Test decrypt with an unsupported encryption type.
     */
    @Test
    void testDecryptUnsupportedType() {
        Key key = new KerberosKey(null, new byte[16], 99, 0);
        byte[] data = new byte[16];
        Exception exception = assertThrows(GeneralSecurityException.class, () -> KerberosEncData.decrypt(data, key, 99));
        assertEquals("Unsupported encryption type 99", exception.getMessage());
    }

          "X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm": "REFSRXYyLUhNQUMtU0hBMjU2",
          "X-Minio-Internal-Server-Side-Encryption-Iv": "bW5YRDhRUGczMVhkc2pJT1V1UVlnbWJBcndIQVhpTUN1dnVBS0QwNUVpaz0=",

        return new HMACT64(key);
    }

    /**
     * Get an RC4 cipher instance initialized with the specified key.
     * @param key the encryption key
     * @return RC4 cipher in encryption mode
     */
    public static Cipher getArcfour(final byte[] key) {
        try {
            final Cipher c = Cipher.getInstance("RC4");

od-vod-repository=FAILED;�5X-Minio-Internal-Server-Side-Encryption-S3-Sealed-Key�XIAAfAMkfjc5PQ3cBQGYewN0AmUQGtmOfjmCquU+ANF4cbmIW+HHv8KUUE1c5CpQbInpPANQCRaL/TJmqB38N6Q==�5X-Minio-Internal-Server-Side-Encryption-S3-Kms-Key-Id�minio_encrypt_key�$X-Minio-Internal-Encrypted-Multipart��6X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm�DAREv2-HMAC-SHA256�X-Minio-Internal-actual-size�56720007533�*X-Minio-Internal-Server-Side-Encryption-Iv�,NID2CJYrpulX58KJqzeBme4uhYS3SXoGB8tMSVat9JI=�9X-Mini...

			}
		case "Prefix":
			z.Prefix, err = dc.ReadString()
			if err != nil {
				err = msgp.WrapError(err, "Prefix")
				return
			}
		case "Encryption":
			err = z.Encryption.DecodeMsg(dc)
			if err != nil {
				err = msgp.WrapError(err, "Encryption")
				return
			}
		default:
			err = dc.Skip()
			if err != nil {
				err = msgp.WrapError(err)
				return
			}
		}
	}
	return

            EncryptionNegotiateContext encryption = new EncryptionNegotiateContext();

            assertNotEquals(preauth.getContextType(), encryption.getContextType());
            assertEquals(0x1, preauth.getContextType());
            assertEquals(0x2, encryption.getContextType());
        }

        @Test