printStream.accept("  init - wizard to configure encryption (interactive only)");
        printStream.accept("  encrypt - encrypts input");
        printStream.accept("  decrypt - decrypts encrypted input");
        printStream.accept("");
    }

    @Override
    protected CommonsCliEncryptOptions copy(

	if err != nil {
		return nil, err
	}
	return c.client.Encrypt(context.Background(), keyID, plaintext, ctxBytes)
}

// DecryptKey decrypts the ciphertext with the key at the KES
// server referenced by the key ID. The context must match the
// context value used to generate the ciphertext.
func (c *kesConn) Decrypt(ctx context.Context, req *DecryptRequest) ([]byte, error) {

            if (plaintextBytes != null) {
                SecureKeyManager.secureWipe(plaintextBytes);
            }
        }
    }

    /**
     * Encrypt credentials to a base64 string for storage
     *
     * @param plaintext the credentials to encrypt
     * @return base64 encoded encrypted credentials
     * @throws GeneralSecurityException if encryption fails
     */

		Plaintext: must("6d6cdccb9a7498c871bde8eab2f49141"),
	},
}

func TestDecrypt(t *testing.T) {
	for i, test := range decryptTests {
		etag, err := Decrypt(test.Key, test.ETag)
		if err != nil {
			t.Fatalf("Test %d: failed to decrypt ETag: %v", i, err)
		}
		if !Equal(etag, test.Plaintext) {
			t.Fatalf("Test %d: got '%v' - want '%v'", i, etag, test.Plaintext)
		}
	}
}

	EnvKESServerCA       = "MINIO_KMS_KES_CAPATH"       // Path to file/directory containing CA certificates to verify the KES server certificate
	EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" // Optional password to decrypt an encrypt TLS private key
)

// Environment variables for static KMS key.
const (

			return
		}
		writeSuccessResponseJSON(w, resp)
		return
	}

	// 2. Verify that we can indeed decrypt the (encrypted) key
	decryptedKey, err := GlobalKMS.Decrypt(ctx, &kms.DecryptRequest{
		Name:           key.KeyID,
		Ciphertext:     key.Ciphertext,
		AssociatedData: kmsContext,
	})
	if err != nil {
		response.DecryptionErr = err.Error()

```

> You can choose an arbitrary name for the key - instead of `my-minio-key`.
> Please note that losing the `MINIO_KMS_SECRET_KEY` will cause data loss
> since you will not be able to decrypt the IAM/configuration data anymore.
For distributed MinIO deployments, specify the *same* `MINIO_KMS_SECRET_KEY` for each MinIO server process.

At any point in time you can switch from `MINIO_KMS_SECRET_KEY` to a full KMS

                    throw new PACDecodingException("Kerberos key not found for eType " + encType.getValue());
                }

                try {
                    byte[] decrypted = KerberosEncData.decrypt(crypt, serverKey, serverKey.getKeyType());
                    this.encData = new KerberosEncData(decrypted, keysByAlgo);
                } catch (GeneralSecurityException e) {

	_, err = sio.Encrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20})
	if err != nil {
		return output, metabytes, err
	}
	metabytes, err = json.Marshal(metadata)
	if err != nil {
		return output, metabytes, err
	}
	return outbuf.Bytes(), metabytes, nil
}

// decrypt bucket metadata if kms is configured.

	mac.Write([]byte("SSE-etag"))
	if _, err := sio.Encrypt(&buffer, bytes.NewReader(etag), sio.Config{Key: mac.Sum(nil)}); err != nil {
		logger.CriticalIf(context.Background(), errors.New("Unable to encrypt ETag using object key"))
	}
	return buffer.Bytes()
}

// UnsealETag unseals the etag using the provided object key.
// It does not try to decrypt the ETag if len(etag) == 16