// storage specified by the transition ARN, the metadata is left behind on source cluster and original content
// is moved to the transition tier. Note that in the case of encrypted objects, entire encrypted stream is moved
// to the transition tier without decrypting or re-encrypting.
func transitionObject(ctx context.Context, objectAPI ObjectLayer, oi ObjectInfo, lae lcAuditEvent) (err error) {

```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
```

It is not encrypted, so, anyone could recover the information from the contents.

But it's signed. So, when you receive a token that you emitted, you can verify that you actually emitted it.

	return saveConfig(ctx, api, configFile, data)
}

// migrate config for remote targets by encrypting data if currently unencrypted and kms is configured.
func (b *BucketMetadata) migrateTargetConfig(ctx context.Context, objectAPI ObjectLayer) error {
	var err error
	// early return if no targets or already encrypted
	if len(b.BucketTargetsConfigJSON) == 0 || GlobalKMS == nil || len(b.BucketTargetsConfigMetaJSON) != 0 {
		return nil
	}

			if opts.EncryptFn != nil {
				fi.Checksum = opts.EncryptFn("object-checksum", fi.Checksum)
			}
		}
	} else if fi.Checksum == nil && opts.WantChecksum != nil {
		// Trailing headers checksums should now be filled.
		fi.Checksum = opts.WantChecksum.AppendTo(nil, nil)
		if opts.EncryptFn != nil {
			fi.Checksum = opts.EncryptFn("object-checksum", fi.Checksum)
		}
	}

## **2. Prerequisites**

				fmt.Fprint(h, meta.TransitionTier)
				fmt.Fprint(h, meta.TransitionedObjName)
				fmt.Fprint(h, meta.TransitionVersionID)
			}

			// If metadata says encrypted, ask for it in quorum.
			if etyp, ok := crypto.IsEncrypted(meta.Metadata); ok {
				fmt.Fprint(h, etyp)
			}

			// If compressed, look for compressed FileInfo only
			if meta.IsCompressed() {

  }

  /** Test which headers are sent unencrypted to the HTTP proxy.  */
  @Test
  fun proxyConnectOmitsApplicationHeaders() {
    server.useHttps(handshakeCertificates.sslSocketFactory())
    server.enqueue(
      MockResponse
        .Builder()
        .inTunnel()
        .build(),
    )
    server.enqueue(
      MockResponse(body = "encrypted response from the origin server"),
    )

  * More reliable kube-up/kube-down
  * Enable ICMP Type 3 Code 4 for ELBs
  * ARP caching fix
  * Use /dev/xvdXX names
  * ELB:
    * ELB proxy protocol support 
	* mixed plaintext/encrypted ports support in ELBs
    * SSL support for ELB listeners
  * Allow VPC CIDR to be specified (experimental)
  * Fix problems with >2 security groups
* GCP:
  * Enable using gcr.io as a Docker registry mirror.

      MockResponse
        .Builder()
        .inTunnel()
        .build(),
    )
    server.enqueue(MockResponse(body = "encrypted response from the origin server"))
    client =
      client
        .newBuilder()
        .proxy(server.proxyAddress)
        .sslSocketFactory(
          handshakeCertificates.sslSocketFactory(),
          handshakeCertificates.trustManager,

				return
			}

			wantSize := int64(-1)
			if actualSize >= 0 {
				info := ObjectInfo{Size: actualSize}
				wantSize = info.EncryptedSize()
			}

			// do not try to verify encrypted content/
			hashReader, err = hash.NewReader(ctx, reader, wantSize, "", "", actualSize)
			if err != nil {
				writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
				return
			}