isCompressed, err := oi.IsCompressedOK()
	if err != nil {
		return nil, 0, 0, err
	}

	// if object is encrypted and it is a restore request or if NoDecryption
	// was requested, fetch content without decrypting.
	if opts.Transition.RestoreRequest != nil || opts.NoDecryption {
		isEncrypted = false
		isCompressed = false
	}

	// Calculate range to read (different for encrypted/compressed objects)
	switch {

// NewMultipartUploadHandler - New multipart upload.
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
//   - X-Amz-Server-Side-Encryption-Customer-Key
//   - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {

        }
        return this.encryptionContext.encryptMessage(message, this.sessionId);
    }

    /**
     * Decrypt a message using the session's encryption context
     *
     * @param encryptedMessage the encrypted message with transform header
     * @return decrypted message
     * @throws CIFSException if decryption fails or encryption is not enabled
     */

            cipherId = EncryptionNegotiateContext.CIPHER_AES128_CCM;
        } else {
            throw new SmbUnsupportedOperationException("SMB3 required for encryption, negotiated: " + dialect);
        }

        try {
            // Derive encryption and decryption keys using SMB3 KDF
            final int dialectInt = dialect.getDialect();

			}
			return rinfo
		}
	} else {
		// SSEC objects will refuse HeadObject without the decryption key.
		// Ignore the error, since we know the object exists and versioning prevents overwriting existing versions.
		if isSSEC && strings.Contains(cerr.Error(), errorCodes[ErrSSEEncryptedObject].Description) {
			rinfo.ReplicationStatus = replication.Completed
			rinfo.ReplicationAction = replicateNone
			goto applyAction

## Changelog since v1.32.3

## Changes by Kind

### Bug or Regression

- Fix a bug where kube-apiserver could emit an further watch even even if decryption failed for earlier event and it was not emitted. ([#131159](https://github.com/kubernetes/kubernetes/pull/131159), [@wojtek-t](https://github.com/wojtek-t)) [SIG API Machinery and Etcd]

- kubeadm now includes the ability to specify certificate encryption and decryption keys for the upload and download certificate phases as part of the new v1beta2 kubeadm config format. ([#77012](https://github.com/kubernetes/kubernetes/pull/77012), [@rosti](https://github.com/rosti))

expandKeyGeneric(c *blockExpanded, key []byte) { checkGenericIsExpect() // Encryption key setup. var i int nk := len(key) / 4 for i = 0; i < nk; i++ { c.enc[i] = byteorder.BEUint32(key[4*i:]) } for ; i < c.roundKeysSize(); i++ { t := c.enc[i-1] if i%nk == 0 { t = subw(rotw(t)) ^ (uint32(powx[i/nk-1]) << 24) } else if nk > 6 && i%nk == 4 { t = subw(t) } c.enc[i] = c.enc[i-nk] ^ t } // Derive decryption key from encryption key. // Reverse the 4-word round key sets from enc to produce dec. // All sets...

	"github.com/minio/minio/internal/logger"
	"github.com/minio/mux"
	"github.com/minio/pkg/v3/policy"
)

const (
	// Bucket Encryption configuration file name.
	bucketSSEConfig = "bucket-encryption.xml"
)

// PutBucketEncryptionHandler - Stores given bucket encryption configuration
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html

expandKeyGeneric(c *blockExpanded, key []byte) { checkGenericIsExpect() // Encryption key setup. var i int nk := len(key) / 4 for i = 0; i < nk; i++ { c.enc[i] = byteorder.BEUint32(key[4*i:]) } for ; i < c.roundKeysSize(); i++ { t := c.enc[i-1] if i%nk == 0 { t = subw(rotw(t)) ^ (uint32(powx[i/nk-1]) << 24) } else if nk > 6 && i%nk == 4 { t = subw(t) } c.enc[i] = c.enc[i-nk] ^ t } // Derive decryption key from encryption key. // Reverse the 4-word round key sets from enc to produce dec. // All sets...