* should carry a digital signature (message integrity).
     */
    int NTLMSSP_NEGOTIATE_SIGN = 0x00000010;

    /**
     * Specifies that communication across the authenticated channel
     * should be encrypted (message confidentiality).
     */
    int NTLMSSP_NEGOTIATE_SEAL = 0x00000020;

    /**
     * Indicates datagram authentication.
     */
    int NTLMSSP_NEGOTIATE_DATAGRAM_STYLE = 0x00000040;

    /**

            if (isExternalAuth(pwAuth)) {
                this.passwordLength = 1;
            } else if (this.server.encryptedPasswords) {
                // encrypted
                try {
                    this.password = pwAuth.getAnsiHash(this.ctx, this.server.encryptionKey);
                } catch (final GeneralSecurityException e) {

	}

	actualSize := data.ActualSize()
	if actualSize < 0 {
		_, encrypted := crypto.IsEncrypted(fi.Metadata)
		compressed := fi.IsCompressed()
		switch {
		case compressed:
			// ... nothing changes for compressed stream.
			// if actualSize is -1 we have no known way to
			// determine what is the actualSize.
		case encrypted:
			decSize, err := sio.DecryptedSize(uint64(n))
			if err == nil {

            return OptionalEntity.empty();
        }
        return OptionalEntity.of(list.get(0));
    }

    /**
     * Stores a web configuration.
     * Configuration parameters are encrypted before storage.
     *
     * @param webConfig The web configuration to store
     */
    public void store(final WebConfig webConfig) {

    * should carry a digital signature (message integrity).
    */
    int NTLMSSP_NEGOTIATE_SIGN = 0x00000010;

    /**
    * Specifies that communication across the authenticated channel
    * should be encrypted (message confidentiality).
    */
    int NTLMSSP_NEGOTIATE_SEAL = 0x00000020;

    /**
    * Indicates datagram authentication.
    */
    int NTLMSSP_NEGOTIATE_DATAGRAM_STYLE = 0x00000040;

    /**

			return
		}
		writeSuccessResponseJSON(w, resp)
		return
	}

	// 3. Compare generated key with decrypted key
	if subtle.ConstantTimeCompare(key.Plaintext, decryptedKey) != 1 {
		response.DecryptionErr = "The generated and the decrypted data key do not match"
		resp, err := json.Marshal(response)
		if err != nil {

URLs are abstract:

// plaintext-ciphertext pair and the ID of the key
// used to generate the ciphertext.
//
// The plaintext can be used for cryptographic
// operations - like encrypting some data. The
// ciphertext is the encrypted version of the
// plaintext data and can be stored on untrusted
// storage.
type DEK struct {
	KeyID      string // Name of the master key
	Version    int    // Version of the master key (MinKMS only)

     * The real session key if the regular session key is actually
     * the encrypted version used for key exchange.
     *
     * @return A <code>byte[]</code> containing the session key.
     */
    public byte[] getMasterKey() {
        return this.masterKey;
    }

    /**
     * Returns the session key.
     *
     * This is the encrypted session key included in the message,

	}
	return nil
}

// DeleteKey deletes a key at the KMS with the given key ID.
// Please note that is a dangerous operation.
// Once a key has been deleted all data that has been encrypted with it cannot be decrypted
// anymore, and therefore, is lost.
func (c *kesConn) DeleteKey(ctx context.Context, req *DeleteKeyRequest) error {
	if err := c.client.DeleteKey(ctx, req.Name); err != nil {