multipart-debug --endpoint 127.0.0.1:9002 --accesskey minio --secretkey minio123 multipart complete --bucket bucket --object new-test-encrypted-object --uploadid ${upload_id} 1.${etag_1} 2.${etag_2}

sleep 10

./mc stat --no-list sitea/bucket/new-test-encrypted-object

}
```

Optionally `--encrypt` can be specified. This will output an encrypted file and a decryption key:

```
$ mc support inspect --encrypt play/test123/test*/*/part.*
mc: Encrypted file data successfully downloaded as inspect.ad2b43d8.enc
mc: Decryption key: ad2b43d847fdb14e54c5836200177f7158b3f745433525f5d23c0e0208e50c9948540b54

Bag Attributes
    friendlyName: test-client
    localKeyID: 54 69 6D 65 20 31 36 31 30 35 34 37 32 31 38 33 33 39 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIV/BaQuOROI8CAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECDimqPUDaqRVBIIEyBNPeVp351IS
v8s0Jscjmh/PkXe6Zb4etlvhOMbTrLdsUiXYaPaX+pwNDo61D3LR3UTz1Yt9MaIM
hgbClVQo2WhEIywJcaloEccxZ2mkP0ZWGVvm3NqfGD5ruevRxra9fvrQcpr81Sro

### Using `mc encrypt` (recommended)

MinIO automatically encrypts all objects on buckets if KMS is successfully configured and bucket encryption configuration is enabled for each bucket as shown below:

```
mc encrypt set sse-s3 myminio/bucket/
```

Verify if MinIO has `sse-s3` enabled

```
mc encrypt info myminio/bucket/
Auto encryption 'sse-s3' is enabled

        }

        final boolean encrypted = (this.ntlmsspFlags & NtlmFlags.NTLMSSP_NEGOTIATE_KEY_EXCH) != 0;
        if (encrypted) {
            try {
                trunc = this.sealServerHandle.doFinal(trunc);
                if (log.isDebugEnabled()) {
                    log.debug("Decrypted " + Hexdump.toHexString(trunc));
                }

/**
 * Represents encrypted Kerberos ticket data.
 */
public class KerberosEncData {

    private String userRealm;
    private String userPrincipalName;
    private ArrayList<InetAddress> userAddresses;
    private List<KerberosAuthData> userAuthorizations;

    /**
     * Constructs KerberosEncData from encrypted token bytes.
     *
     * @param token the encrypted Kerberos token

        }
    }

    /**
     * Encrypt credentials to a base64 string for storage
     *
     * @param plaintext the credentials to encrypt
     * @return base64 encoded encrypted credentials
     * @throws GeneralSecurityException if encryption fails
     */
    public String encryptToString(char[] plaintext) throws GeneralSecurityException {
        byte[] encrypted = encryptCredentials(plaintext);

	"X-Minio-Internal-Server-Side-Encryption-Iv":             "X-Minio-Replication-Server-Side-Encryption-Iv",
	"X-Minio-Internal-Encrypted-Multipart":                   "X-Minio-Replication-Encrypted-Multipart",
	"X-Minio-Internal-Actual-Object-Size":                    "X-Minio-Replication-Actual-Object-Size",
	// Add more supported headers here.
}

                }

                try {
                    byte[] decrypted = KerberosEncData.decrypt(crypt, serverKey, serverKey.getKeyType());
                    this.encData = new KerberosEncData(decrypted, keysByAlgo);
                } catch (GeneralSecurityException e) {

          "x-amz-restore": "ongoing-request=false, expiry-date=Sat, 27 Feb 2021 00:00:00 GMT",
...
```

### Encrypted/Object locked objects