}


    /**
     * 
     * @param dialect
     * @param sessionKey
     * @param preauthIntegrity
     * @return derived decryption key
     */
    public static byte[] deriveDecryptionKey ( int dialect, byte[] sessionKey, byte[] preauthIntegrity ) {
        return derive(
            sessionKey,

//     - object_data := DAREv2_Dec(ObjectKey, enc_object_data)
//     Output: object_data
//
// ## SSE-S3
//
// SSE-S3 can use either a master key or a KMS as root-of-trust.
// The en/decryption slightly depens upon which root-of-trust is used.
//
// ### SSE-S3 and single master key
//
// The master key is used to derive unique object- and key-encryption-keys.

          // Produced ClientHello handshake message
          //
          // Raw write
          // Raw read
          // Plaintext before ENCRYPTION
          // Plaintext after DECRYPTION
          val message = record.message
          val parameters = record.parameters

          if (parameters != null && !message.startsWith("Raw") && !message.startsWith("Plaintext")) {
            if (verbose) {

	return &HTTPRangeSpec{Start: start, End: end}
}

// Returns the compressed offset which should be skipped.
// If encrypted offsets are adjusted for encrypted block headers/trailers.
// Since de-compression is after decryption encryption overhead is only added to compressedOffset.

//     before calling Format.
//     S3 clients expect that the ETag of an SSE-S3 encrypted
//     single-part object is equal to the object's content MD5.
//     Formatting the SSE-S3 ETag before decryption will result
//     in a random-looking ETag which an S3 client will not accept.
//
// Hence, a caller has to check:
//
//	if method == SSE-S3 {
//	   ETag, err := Decrypt(key, ETag)
//	   if err != nil {

				writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
				return
			}
		}
		// Set this for multipart only operations, we need to differentiate during
		// decryption if the file was actually multipart or not.
		encMetadata[ReservedMetadataPrefix+"Encrypted-Multipart"] = ""
	}

	// Extract metadata that needs to be saved.
	metadata, err := extractMetadataFromReq(ctx, r)

	decryptedKey, err := GlobalKMS.DecryptKey(key.KeyID, key.Ciphertext, kmsContext)
	switch {
	case err != nil:
		kmsStat.Decrypt = fmt.Sprintf("Decryption failed: %v", err)
	case subtle.ConstantTimeCompare(key.Plaintext, decryptedKey) != 1:
		kmsStat.Decrypt = "Decryption failed: decrypted key does not match generated key"
	default:
		kmsStat.Decrypt = "success"
	}
	return kmsStat
}

- kubeadm now includes the ability to specify certificate encryption and decryption keys for the upload and download certificate phases as part of the new v1beta2 kubeadm config format. ([#77012](https://github.com/kubernetes/kubernetes/pull/77012), [@rosti](https://github.com/rosti))