import java.security.NoSuchAlgorithmException;
import java.security.Provider;

import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;

import org.bouncycastle.jce.provider.BouncyCastleProvider;

import jcifs.CIFSUnsupportedCryptoException;

/**
 * Cryptographic utility class providing encryption and decryption functionality for jCIFS.

     * Parses the role set from a string.
     * @param value The string to parse.
     * @param encrypted Whether the string is encrypted.
     * @param roleSet The set of roles.
     */
    protected void parseRoleSet(final String value, final boolean encrypted, final Set<String> roleSet) {
        String rolesStr = value;
        if (encrypted && cipher != null) {
            try {
                rolesStr = cipher.decryptoText(rolesStr);

* Nginx
* HAProxy

## Let's Encrypt { #lets-encrypt }

Before Let's Encrypt, these **HTTPS certificates** were sold by trusted third parties.

The process to acquire one of these certificates used to be cumbersome, require quite some paperwork and the certificates were quite expensive.

But then **<a href="https://letsencrypt.org/" class="external-link" target="_blank">Let's Encrypt</a>** was created.

        byte[] plaintext = "Hello, SMB3 Encryption!".getBytes();
        long sessionId = 0x123456789ABCDEF0L;

        // When - Encrypt
        byte[] encrypted = context.encryptMessage(plaintext, sessionId);

        // Then - Verify encrypted message structure
        assertNotNull(encrypted, "Encrypted message should not be null");

        outInts[1] = leftt;
    }

    /// Encrypt a block of bytes.
    /**
     * Encrypts an 8-byte block using DES
     * @param clearText the 8-byte plaintext block
     * @param cipherText the output 8-byte ciphertext block
     */
    public void encrypt(final byte[] clearText, final byte[] cipherText) {
        encrypt(clearText, 0, cipherText, 0);
    }

    /// Decrypt a block of bytes.

        byte[] encrypted = desCipher.doFinal(plaintext);

        // Then
        assertNotNull(encrypted);
        assertEquals(8, encrypted.length);
        assertNotEquals(new String(plaintext), new String(encrypted));
    }

    @ParameterizedTest
    @ValueSource(strings = { "", "a", "short", "medium length text", "very long text that exceeds typical block sizes" })

        assertNotNull(cryptographer);

        String plainText = "Hello, World!";
        String encrypted = cryptographer.encrypt(plainText);
        assertNotNull(encrypted);
        assertFalse(plainText.equals(encrypted));

        String decrypted = cryptographer.decrypt(encrypted);
        assertEquals(plainText, decrypted);
    }

    public void test_invertibleCryptography_withEmptyString() {

## FAQ

> Why is this change needed?

Before, there were two separate mechanisms - S3 objects got encrypted using a KMS,
if present, and the IAM / configuration data got encrypted with the root credentials.
Now, MinIO encrypts IAM / configuration and S3 objects with a KMS, if present. This

    /**
     * Gets the flags field which contains flags in SMB 3.1.1 or encryption algorithm ID in SMB 3.0/3.0.2
     *
     * @return the flags (SMB 3.1.1) or encryption algorithm (SMB 3.0/3.0.2)
     */
    public int getFlags() {
        return this.flags;
    }

    /**
     * Sets the flags field which contains flags in SMB 3.1.1 or encryption algorithm ID in SMB 3.0/3.0.2
     *
     * @param flags

import java.util.Enumeration;
import java.util.List;
import java.util.Map;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.Mac;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.kerberos.KerberosKey;