## FAQ

> Why is this change needed?

Before, there were two separate mechanisms - S3 objects got encrypted using a KMS,
if present, and the IAM / configuration data got encrypted with the root credentials.
Now, MinIO encrypts IAM / configuration and S3 objects with a KMS, if present. This
change unified the key-management aspect within MinIO.

    val param: String?,
  ) {
    enum class Type {
      Handshake,
      Plaintext,
      Encrypted,
      Setup,
      Unknown,
    }

    val type: Type
      get() =
        when {
          message == "adding as trusted certificates" -> Type.Setup
          message == "Raw read" || message == "Raw write" -> Type.Encrypted

          "x-amz-restore": "ongoing-request=false, expiry-date=Sat, 27 Feb 2021 00:00:00 GMT",
...
```

### Encrypted/Object locked objects

	"X-Minio-Internal-Server-Side-Encryption-Iv":             "X-Minio-Replication-Server-Side-Encryption-Iv",
	"X-Minio-Internal-Encrypted-Multipart":                   "X-Minio-Replication-Encrypted-Multipart",
	"X-Minio-Internal-Actual-Object-Size":                    "X-Minio-Replication-Actual-Object-Size",
	// Add more supported headers here.
}

test-decom: install-race
	@echo "Running minio decom tests"
	@env bash $(PWD)/docs/distributed/decom.sh
	@env bash $(PWD)/docs/distributed/decom-encrypted.sh
	@env bash $(PWD)/docs/distributed/decom-encrypted-sse-s3.sh
	@env bash $(PWD)/docs/distributed/decom-compressed-sse-s3.sh
	@env bash $(PWD)/docs/distributed/decom-encrypted-kes.sh

test-versioning: install-race
	@echo "Running minio versioning tests"

s3.meta.client.upload_file('/etc/hosts',
                           'testbucket',
                           'hosts',
                           ExtraArgs={'ServerSideEncryption': 'AES256'})

# Download encrypted object using temporary credentials

        printStream.accept("  init - wizard to configure encryption (interactive only)");
        printStream.accept("  encrypt - encrypts input");
        printStream.accept("  decrypt - decrypts encrypted input");
        printStream.accept("");
    }

    @Override
    protected CommonsCliEncryptOptions copy(

	}
}

func enableCompression(t *testing.T, encrypt bool, mimeTypes []string, extensions []string) {
	// Enable compression and exec...
	globalCompressConfigMu.Lock()
	globalCompressConfig.Enabled = true
	globalCompressConfig.MimeTypes = mimeTypes
	globalCompressConfig.Extensions = extensions
	globalCompressConfig.AllowEncrypted = encrypt
	globalCompressConfigMu.Unlock()
	if encrypt {
		globalAutoEncryption = encrypt

		return true
	}
	if _, ok := h[xhttp.AmzServerSideEncryptionCustomerKeyMD5]; ok {
		return true
	}
	return false
}

// IsEncrypted returns true if the metadata contains an SSE-C
// entry indicating that the object has been encrypted using
// SSE-C.
func (ssec) IsEncrypted(metadata map[string]string) bool {
	if _, ok := metadata[MetaSealedKeySSEC]; ok {
		return true
	}
	return false
}

			if _, ok := object.UserMetadata["X-Amz-Server-Side-Encryption-Customer-Algorithm"]; ok {
				log.Println("SKIPPED: Objects encrypted with SSE-C do not have md5sum as ETag:", objFullPath(object))
				continue
			}
			if v, ok := object.UserMetadata["X-Amz-Server-Side-Encryption"]; ok && v == "aws:kms" {
				log.Println("SKIPPED: encrypted with SSE-KMS do not have md5sum as ETag:", objFullPath(object))
				continue
			}
			parts := 1