writeErrorResponse(r.Context(), w, apiErr, r.URL)
		}
		return
	}

	// Verify if KMS is reachable if its configured
	if GlobalKMS != nil {
		ctx, cancel := context.WithTimeout(r.Context(), time.Minute)
		defer cancel()

		if _, err := GlobalKMS.GenerateKey(ctx, &kms.GenerateKeyRequest{AssociatedData: kms.Context{"healthcheck": ""}}); err != nil {
			switch r.Method {
			case http.MethodHead:

# KMS IAM/Config Encryption

MinIO supports encrypting config, IAM assets with KMS provided keys. If the KMS is not enabled, MinIO will store the config, IAM data as plain text erasure coded in its backend.

## MinIO KMS Quick Start

MinIO supports two ways of encrypting IAM and configuration data.
You can either use KES - together with an external KMS - or, much simpler,

    "ZoEoZdLlzVbOlT9rbhD7ZN7TLyiYXSAlB79uGEge",
    "ERRO:",
    "(?Rm)^.*(#|//)\\s*spellchecker:disable-line$", # ignore line
]

[default.extend-words]
"encrypter" = "encrypter"
"kms" = "kms"
"requestor" = "requestor"

[default.extend-identifiers]
"HashiCorp" = "HashiCorp"

[type.go.extend-identifiers]
"bui" = "bui"
"dm2nd" = "dm2nd"
"ot" = "ot"
"ParseND" = "ParseND"

false, ModTime: UTCNow(), Size: 3430, Mode: 0x0, Metadata: map[string]string{"X-Minio-Internal-Server-Side-Encryption-Iv": "jIJPsrkkVYYMvc7edBrNl+7zcM7+ZwXqMb/YAjBO/ck=", "X-Minio-Internal-Server-Side-Encryption-S3-Kms-Key-Id": "my-minio-key", "X-Minio-Internal-Server-Side-Encryption-S3-Kms-Sealed-Key": "IAAfAP2p7ZLv3UpLwBnsKkF2mtWba0qoY42tymK0szRgGvAxBNcXyHXYooe9dQpeeEJWgKUa/8R61oCy1mFwIg==", "X-Minio-Internal-Server-Side-Encryption-S3-Sealed-Key": "IAAfAPFYRDkHVirJBJxBixNj3PLWt78dFuUTyTLIdLG820J7...

[{"Bucket":"buck1","Name":"go_113/src/cmd/go/testdata/script/mod_init_dep.txt","UserDef":{"X-Minio-Internal-Server-Side-Encryption-Iv":"7oyUrB+n4Xb57xJsT/c+d3vF5fW5pWtPEyxNC/oTP80=","X-Minio-Internal-Server-Side-Encryption-S3-Kms-Key-Id":"my-minio-key","X-Minio-Internal-Server-Side-Encryption-S3-Kms-Sealed-Key":"IAAfAJjZ2dY7iCAom9rP/UK/5mmg/gpSloOs8Xjy5gYKtTDfL==","X-Minio-Internal-Server-Side-Encryption-S3-Sealed-Key":"IAAfAN+0R4CsC3ibYvamkvm9KIg+hidIQ==","X-Minio-Internal-Server-Side-Encryption-Seal-Algori...

	"github.com/minio/minio/internal/kms"
	"github.com/minio/pkg/v3/env"
	"github.com/minio/pkg/v3/workers"
)

// keyrotate:
//   apiVersion: v1
//   bucket: BUCKET
//   prefix: PREFIX
//   encryption:
//     type: sse-s3 # valid values are sse-s3 and sse-kms
//     key: <new-kms-key> # valid only for sse-kms
//     context: <new-kms-key-context> # valid only for sse-kms
// # optional flags based filtering criteria

	}

	KMS, err := kms.Connect(GlobalContext, &kms.ConnectionOptions{
		CADir: globalCertsCADir.Get(),
	})
	if err != nil {
		logger.Fatal(err, "Failed to connect to KMS")
	}

	if _, err = KMS.GenerateKey(GlobalContext, &kms.GenerateKeyRequest{}); errors.Is(err, kms.ErrKeyNotFound) {
		err = KMS.CreateKey(GlobalContext, &kms.CreateKeyRequest{Name: KMS.DefaultKey})
	}

	errKMSNotConfigured               = errors.New("KMS not configured for a server side encrypted objects")
	errKMSKeyNotFound                 = errors.New("Unknown KMS key ID")
	errKMSDefaultKeyAlreadyConfigured = errors.New("A default encryption already exists on KMS")
	// Additional MinIO errors for SSE-C requests.

	"github.com/minio/minio/internal/crypto"
	"github.com/minio/minio/internal/hash"
	xhttp "github.com/minio/minio/internal/http"
	"github.com/minio/minio/internal/kms"
)

type fanOutOptions struct {
	Kind     crypto.Type
	KeyID    string
	Key      []byte
	KmsCtx   kms.Context
	Checksum *hash.Checksum
	MD5Hex   string
}

// fanOutPutObject takes an input source reader and fans out multiple PUT operations

		return
	}

	// Return error if KMS is not initialized
	if GlobalKMS == nil {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL)
		return
	}
	kmsKey := encConfig.KeyID()
	if kmsKey != "" {
		kmsContext := kms.Context{"MinIO admin API": "ServerInfoHandler"} // Context for a test key operation
		_, err := GlobalKMS.GenerateKey(ctx, &kms.GenerateKeyRequest{Name: kmsKey, AssociatedData: kmsContext})