public static final int NTLMSSP_NEGOTIATE_TARGET_INFO = 0x00800000;

    /**
    * Indicates that 128-bit encryption is supported.
    */
    public static final int NTLMSSP_NEGOTIATE_128 = 0x20000000;

    public static final int NTLMSSP_NEGOTIATE_KEY_EXCH = 0x40000000;

    /**
    * Indicates that 56-bit encryption is supported.
    */
    public static final int NTLMSSP_NEGOTIATE_56 = 0x80000000;

                                  'testbucket',
                                  'hosts',
                                  ExtraArgs={'ServerSideEncryption': 'AES256'})

# Upload with server side encryption, using temporary credentials
s3.meta.client.upload_file('/etc/hosts',
                           'testbucket',
                           'hosts',
                           ExtraArgs={'ServerSideEncryption': 'AES256'})

type RestoreRequestType string

const (
	// SelectRestoreRequest specifies select request. This is the only valid value
	SelectRestoreRequest RestoreRequestType = "SELECT"
)

// Encryption specifies encryption setting on restored bucket
type Encryption struct {
	EncryptionType sse.Algorithm `xml:"EncryptionType"`
	KMSContext     string        `xml:"KMSContext,omitempty"`
	KMSKeyID       string        `xml:"KMSKeyId,omitempty"`
}

				continue
			}
			if _, ok := object.UserMetadata["X-Amz-Server-Side-Encryption-Customer-Algorithm"]; ok {
				log.Println("SKIPPED: Objects encrypted with SSE-C do not have md5sum as ETag:", objFullPath(object))
				continue
			}
			if v, ok := object.UserMetadata["X-Amz-Server-Side-Encryption"]; ok && v == "aws:kms" {

			Description: `comma separated wildcard mime-types` + defaultHelpPostfix(MimeTypes),
			Optional:    true,
			Type:        "csv",
		},
		config.HelpKV{
			Key:         AllowEncrypted,
			Description: `enable 'encryption' along with compression`,
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         config.Comment,
			Description: config.DefaultComment,
			Optional:    true,

            context.terminal
                    .writer()
                    .println(messageBuilderFactory
                            .builder()
                            .error("Maven Encryption is not configured, run `mvnenc init` first.")
                            .build());
            return ERROR;
        }
        return doExecute(context);
    }

and destination buckets needs to have [object locking](https://min.io/docs/minio/linux/administration/object-management/object-retention.html) enabled. Similarly objects encrypted on the server side, will be replicated if destination also supports encryption.

Replication status can be seen in the metadata on the source and destination objects. On the source side, the `X-Amz-Replication-Status` changes from `PENDING` to `COMPLETED` or `FAILED` after replication attempt either succeeded or...

- Kubernetes cluster with `kubectl` configured.

- Acquire TLS certificates, either from a CA or [create self-signed certificates](https://min.io/docs/minio/kubernetes/upstream/operations/network-encryption.html).

      get() =
        when {
          message == "adding as trusted certificates" -> Type.Setup
          message == "Raw read" || message == "Raw write" -> Type.Encrypted
          message == "Plaintext before ENCRYPTION" || message == "Plaintext after DECRYPTION" -> Type.Plaintext
          message.startsWith("System property ") -> Type.Setup
          message.startsWith("Reload ") -> Type.Setup

// while reading the object from another source.
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
//   - X-Amz-Server-Side-Encryption-Customer-Key
//   - X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key
func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {