ObjectLockLegalHoldTimestamp = "objectlock-legalhold-timestamp"

	// ReplicationSsecChecksumHeader - the encrypted checksum of the SSE-C encrypted object.
	ReplicationSsecChecksumHeader = "X-Minio-Replication-Ssec-Crc"
)

// gets replication config associated to a given bucket name.

        if (logger.isDebugEnabled()) {
            logger.debug("system.properties: {}", value);
        }
        if (StringUtil.isNotBlank(value)) {
            ParameterUtil.parse(ParameterUtil.encrypt(value)).entrySet().stream().filter(e -> {
                final String key = e.getKey();
                if (StringUtil.isBlank(key)) {
                    return false;
                }

}

// Returns the compressed offset which should be skipped.
// If encrypted offsets are adjusted for encrypted block headers/trailers.
// Since de-compression is after decryption encryption overhead is only added to compressedOffset.
func getCompressedOffsets(oi ObjectInfo, offset int64, decrypt func([]byte) ([]byte, error)) (compressedOffset int64, partSkip int64, firstPart int, decryptSkip int64, seqNum uint32) {

		if err != nil {
			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
			return
		}
	}

	// If src == dst and either
	// - the object is encrypted using SSE-C and two different SSE-C keys are present
	// - the object is encrypted using SSE-S3 and the SSE-S3 header is present
	// - the object storage class is not changing
	// then execute a key rotation.

                Constants.CIPHER_PREFIX + ComponentUtil.getPrimaryCipher().encrypt(value));
    }

    default String getLdapAdminSecurityCredentials() {
        final String value = getSystemProperty(Constants.LDAP_ADMIN_SECURITY_CREDENTIALS);
        if (StringUtil.isNotBlank(value) && value.startsWith(Constants.CIPHER_PREFIX)) {
            return ComponentUtil.getPrimaryCipher().decrypt(value.substring(Constants.CIPHER_PREFIX.length()));
        }

app.cipher.algorism=aes
# Secret key for encryption (change this value for production).
app.cipher.key=___change__me___
# Algorithm for digest calculation.
app.digest.algorism=sha256
# Regex pattern for properties to encrypt.
app.encrypt.property.pattern=.*password|.*key|.*token|.*secret

# Extension names for application customization.
app.extension.names=

# Audit log format.
app.audit.log.format=

# JVM options for the crawler process.

                KerberosKey serverKey = keysByAlgo.get(encType.getValue().intValue());
                if (keysByAlgo.isEmpty() || serverKey == null) {
                    throw new PACDecodingException("Kerberos key not found for eType " + encType.getValue());
                }

                try {
                    byte[] decrypted = KerberosEncData.decrypt(crypt, serverKey, serverKey.getKeyType());

html. if pub.E > 1<<31-1 { return false, errors.New("crypto/rsa: public exponent too large") } return fipsApproved, nil } // Encrypt performs the RSA public key operation. func Encrypt(pub *PublicKey, plaintext []byte) ([]byte, error) { fips140.RecordNonApproved() if _, err := checkPublicKey(pub); err != nil { return nil, err } return encrypt(pub, plaintext) } func encrypt(pub *PublicKey, plaintext []byte) ([]byte, error) { m, err := bigmod.NewNat().SetBytes(plaintext, pub.N) if err != nil { return...

     * @param encType Encryption type
     * @param encryptedData Encrypted data
     * @param unknownTag Optional unknown tag number to test error handling
     * @return A byte array representing the ticket
     * @throws IOException on encoding error
     */
    private byte[] createTestTicketBytes(Number version, String realm, String principalName, int encType, byte[] encryptedData,

## FAQ

> Why is this change needed?

Before, there were two separate mechanisms - S3 objects got encrypted using a KMS,
if present, and the IAM / configuration data got encrypted with the root credentials.
Now, MinIO encrypts IAM / configuration and S3 objects with a KMS, if present. This
change unified the key-management aspect within MinIO.