if err != nil {
					errs[idx] = err
					return
				}

				// do not try to verify encrypted content/
				hr, err = hash.NewReader(ctx, encrd, -1, "", "", -1)
				if err != nil {
					errs[idx] = err
					return
				}

				reader, err = reader.WithEncryption(hr, &objectEncryptionKey)

kQyKGUTpDbKLuyYMFsoH73YLjBqNe+UEhPwE+FWpcky1Sp9RTx/oMLpiZaPR
-----END CERTIFICATE-----`,
		shouldFail: true,
	},
	{
		password: "foobar",
		privateKey: `-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,CC483BF11678C35F9F02A1AD85DAE285

nMDFd+Qxk1f+S7LwMitmMofNXYNbCY4L1QEqPOOx5wnjNF1wSxmEkL7+h8W4Y/vb
AQt/7TCcUSuSqEMl45nUIcCbhBos5wz+ShvFiez3qKwmR5HSURvqyN6PIJeAbU+h

### SSE-C Encryption

MinIO does not support SSE-C encrypted objects on replicated buckets, any application uploading SSE-C encrypted objects will be rejected with an error on replicated buckets.

#### Rationale

	exit 1
fi

got_checksum=$(./mc cat myminio/versioned/dsync/drwmutex.go | md5sum)
if [ "${expected_checksum}" != "${got_checksum}" ]; then
	echo "BUG: decommission failed on encrypted objects: expected ${expected_checksum} got ${got_checksum}"
	exit 1
fi

./mc ls -r myminio/versioned >decommissioned_ns.txt
./mc ls -r --versions myminio/versioned >decommissioned_ns_versions.txt

     */
    public static final int NTLMSSP_NEGOTIATE_SIGN = 0x00000010;

    /**
     * Specifies that communication across the authenticated channel
     * should be encrypted (message confidentiality).
     */
    public static final int NTLMSSP_NEGOTIATE_SEAL = 0x00000020;

    /**
     * Indicates datagram authentication.
     */

		{ObjectOpts{Name: "c1test", SSEC: true}, cfgs[0], true},                                                                      // 9. replication of SSE-C encrypted object

		//  using config 2 - no filters, only replication of object, metadata enabled

            if ( isExternalAuth(pwAuth) ) {
                this.passwordLength = 1;
            }
            else if ( this.server.encryptedPasswords ) {
                // encrypted
                try {
                    this.password = pwAuth.getAnsiHash(this.ctx, this.server.encryptionKey);
                }
                catch ( GeneralSecurityException e ) {

                        ( session.auth.hashesExternal ||
                        session.auth.password.length() > 0 )) {

            if( session.transport.server.encryptedPasswords ) {
                // encrypted
                password = session.auth.getAnsiHash( session.transport.server.encryptionKey );
                passwordLength = password.length;
            } else if( DISABLE_PLAIN_TEXT_PASSWORDS ) {

     * The real session key if the regular session key is actually
     * the encrypted version used for key exchange.
     *
     * @return A <code>byte[]</code> containing the session key.
     */
    public byte[] getMasterKey () {
        return this.masterKey;
    }


    /**
     * Returns the session key.
     * 
     * This is the encrypted session key included in the message,

	}

	actualSize := data.ActualSize()
	if actualSize < 0 {
		_, encrypted := crypto.IsEncrypted(fi.Metadata)
		compressed := fi.IsCompressed()
		switch {
		case compressed:
			// ... nothing changes for compressed stream.
			// if actualSize is -1 we have no known way to
			// determine what is the actualSize.
		case encrypted:
			decSize, err := sio.DecryptedSize(uint64(n))
			if err == nil {