byte[] out7 = new byte[8];

        // Act
        NtlmUtil.E(key14, data8, out14);
        NtlmUtil.E(key7, data8, out7);

        // Assert: first block identical to single-chunk encryption
        assertArrayEquals(Arrays.copyOfRange(out14, 0, 8), out7);
        // And second block is present and not all zeros
        assertFalse(Arrays.equals(new byte[8], Arrays.copyOfRange(out14, 8, 16)));
    }

    /**
     * The key for user roles in the request attribute.
     */
    protected static final String USER_ROLES = "userRoles";

    /**
     * The cached cipher for encryption and decryption.
     */
    protected CachedCipher cipher;

    /**
     * The separator for values in the role string.
     */
    protected String valueSeparator = "\n";

    /**

  * Add an AEAD encrypting transformer for storing secrets encrypted at rest ([#41939](https://github.com/kubernetes/kubernetes/pull/41939), [@smarterclayton](https://github.com/smarterclayton))

        if (attempts == 0) return 0.0;
        return (double) reconnectSuccesses.get() / attempts;
    }
}
```

## 12. Security Considerations

### 12.1 Handle State Encryption
```java
public class SecureHandleStorage {
    private final SecretKey encryptionKey;
    
    public void saveEncrypted(HandleInfo handle, Path file) throws Exception {

        }
    }
    
    public void validateRemoteAccess(long remoteAddress, int length, int remoteKey) {
        // Validate that remote memory access is authorized
        // This would integrate with SMB3 encryption/signing
        if (!isAuthorizedAccess(remoteAddress, length, remoteKey)) {
            throw new SecurityException("Unauthorized RDMA remote access");
        }
    }
    

        assertTrue("Result should contain password={cipher}, but was: " + result, result.contains("password={cipher}"));

        // Test with empty encryption target
        value = "password=";
        result = ParameterUtil.encrypt(value);
        assertTrue(result.contains("password={cipher}"));

        // Test with only whitespace value

        }
        if ((server.capabilities & CAP_EXTENDED_SECURITY) != CAP_EXTENDED_SECURITY && server.encryptionKeyLength != 8
                && LM_COMPATIBILITY == 0) {
            throw new SmbException("Unexpected encryption key length: " + server.encryptionKeyLength);
        }

        /* Adjust negotiated values */

        tconHostName = address.getHostName();

## Security - HTTPS { #security-https }

In the [previous chapter about HTTPS](https.md){.internal-link target=_blank} we learned about how HTTPS provides encryption for your API.

We also saw that HTTPS is normally provided by a component **external** to your application server, a **TLS Termination Proxy**.

- New Metrics Added for Encryption Configuration Controller
  
  This release adds new metrics to the Encryption Configuration Controller to help monitor the automatic reloading of encryption configuration. The new metrics include:
  
  - `apiserver_encryption_config_controller_automatic_reload_failures_total`: Total number of failed automatic reloads of encryption configuration.

  - The `--experimental-encryption-provider-config` flag is deprecated in favor of `--encryption-provider-config`. The old flag is accepted with a warning but will be removed in 1.14. ([#71206](https://github.com/kubernetes/kubernetes/pull/71206), [@stlaz](https://github.com/stlaz))