assertTrue(encrypted.length >= 52, "Encrypted message should include transform header");

        // When - Decrypt
        byte[] decrypted = context.decryptMessage(encrypted);

        // Then - Verify decryption
        assertArrayEquals(plaintext, decrypted, "Decrypted message should match original plaintext");
    }

    @Test
    @DisplayName("Should handle concurrent encryption operations safely")

        byte[] encrypted = encryptCredentials(plaintext);
        return Base64.getEncoder().encodeToString(encrypted);
    }

    /**
     * Decrypt credentials from a base64 string
     *
     * @param encryptedString base64 encoded encrypted credentials
     * @return decrypted credentials
     * @throws GeneralSecurityException if decryption fails
     */

<img src="/img/deployment/https/https04.drawio.svg">

### Decrypt the Request { #decrypt-the-request }

The TLS Termination Proxy would use the encryption agreed to **decrypt the request**, and would transmit the **plain (decrypted) HTTP request** to the process running the application (for example a process with Uvicorn running the FastAPI application).

                }

                try {
                    byte[] decrypted = KerberosEncData.decrypt(crypt, serverKey, serverKey.getKeyType());
                    this.encData = new KerberosEncData(decrypted, keysByAlgo);
                } catch (GeneralSecurityException e) {

	case strings.Contains(inputFileName, ".enc."):
		outputFileName = strings.Replace(inputFileName, ".enc.", ".", 1) + ".zip"
	default:
		outputFileName = inputFileName + ".decrypted"
	}

	// Open the input and create the output file
	input, err := os.Open(inputFileName)
	fatalErr(err)
	defer input.Close()

	// Decrypt the inspect data
	switch {

```

> You can choose an arbitrary name for the key - instead of `my-minio-key`.
> Please note that losing the `MINIO_KMS_SECRET_KEY` will cause data loss
> since you will not be able to decrypt the IAM/configuration data anymore.
For distributed MinIO deployments, specify the *same* `MINIO_KMS_SECRET_KEY` for each MinIO server process.

At any point in time you can switch from `MINIO_KMS_SECRET_KEY` to a full KMS

			return
		}
		writeSuccessResponseJSON(w, resp)
		return
	}

	// 2. Verify that we can indeed decrypt the (encrypted) key
	decryptedKey, err := GlobalKMS.Decrypt(ctx, &kms.DecryptRequest{
		Name:           key.KeyID,
		Ciphertext:     key.Ciphertext,
		AssociatedData: kmsContext,
	})
	if err != nil {
		response.DecryptionErr = err.Error()

	_, err = sio.Encrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20})
	if err != nil {
		return output, metabytes, err
	}
	metabytes, err = json.Marshal(metadata)
	if err != nil {
		return
	}
	return outbuf.Bytes(), metabytes, nil
}

// decrypt bucket metadata if kms is configured.

		if rs != nil {
			off, length, err = rs.GetOffsetLength(actualSize)
			if err != nil {
				return nil, 0, 0, err
			}
			decrypt := func(b []byte) ([]byte, error) {
				return b, nil
			}
			if isEncrypted {
				decrypt = func(b []byte) ([]byte, error) {
					return oi.compressionIndexDecrypt(b, h)
				}
			}

```

This file can be decrypted using the decryption tool below:

### Installing decryption tool

To install, [Go](https://golang.org/dl/) must be installed.

Once installed, execute this to install the binary:

```bash
go install github.com/minio/minio/docs/debugging/inspect@latest
```

### Usage

To decrypt the file above:

```