So, the client sends an **HTTPS request**. This is just an HTTP request through an encrypted TLS connection.

<img src="/img/deployment/https/https04.drawio.svg">

### Decrypt the Request { #decrypt-the-request }

        }
    }

    /**
     * Decrypts Kerberos encrypted data using the specified key.
     *
     * @param data the encrypted data to decrypt
     * @param key the decryption key
     * @param type the encryption type
     * @return the decrypted data
     * @throws GeneralSecurityException if decryption fails
     */
    public static byte[] decrypt(byte[] data, Key key, int type) throws GeneralSecurityException {

     * @return decrypted credentials
     * @throws GeneralSecurityException if decryption fails
     */
    public char[] decryptFromString(String encryptedString) throws GeneralSecurityException {
        if (encryptedString == null) {
            return null;
        }
        byte[] encrypted = Base64.getDecoder().decode(encryptedString);
        return decryptCredentials(encrypted);
    }

func (ssekms) IsEncrypted(metadata map[string]string) bool {
	if _, ok := metadata[MetaSealedKeyKMS]; ok {
		return true
	}
	return false
}

// UnsealObjectKey extracts and decrypts the sealed object key
// from the metadata using KMS and returns the decrypted object
// key.
func (s3 ssekms) UnsealObjectKey(k *kms.KMS, metadata map[string]string, bucket, object string) (key ObjectKey, err error) {
	if k == nil {

	)

	ErrInvalidConfigDecryptionKey = newErrFn(
		"Incorrect encryption key to decrypt internal data",
		"Please set the correct default KMS key value or the correct root credentials for older MinIO versions.",
		`Revert MINIO_KMS_KES_KEY_NAME or MINIO_ROOT_USER/MINIO_ROOT_PASSWORD (for older MinIO versions) to be able to decrypt the internal data again.`,
	)

	ErrInvalidCredentials = newErrFn(
		"Invalid credentials",

        }

        final boolean encrypted = (this.ntlmsspFlags & NtlmFlags.NTLMSSP_NEGOTIATE_KEY_EXCH) != 0;
        if (encrypted) {
            try {
                trunc = this.sealServerHandle.doFinal(trunc);
                if (log.isDebugEnabled()) {
                    log.debug("Decrypted " + Hexdump.toHexString(trunc));
                }

	// Successful response.
	w.WriteHeader(http.StatusOK)
}

// Update the passed zip object metadata with the zip contents info, file name, modtime, size, etc.
// The returned zip index will de decrypted.
func updateObjectMetadataWithZipInfo(ctx context.Context, objectAPI ObjectLayer, bucket, object string, opts ObjectOptions) ([]byte, error) {
	files, srcInfo, err := getFilesListFromZIPObject(ctx, objectAPI, bucket, object, opts)

	k.updateMetrics(err, time.Since(start))

	return dek, err
}

// Decrypt decrypts a ciphertext using the master key req.Name.
// It returns ErrKeyNotFound if the key does not exist.
func (k *KMS) Decrypt(ctx context.Context, req *DecryptRequest) ([]byte, error) {
	start := time.Now()
	plaintext, err := k.conn.Decrypt(ctx, req)
	k.updateMetrics(err, time.Since(start))

	return plaintext, err
}

//   - The object is a SSE-KMS or SSE-C encrypted single-
//     part object. In this case, Format returns the last
//     16 bytes of the encrypted ETag which will be a random
//     value.
//   - The object is a SSE-S3 encrypted single-part object.
//     In this case, the caller has to decrypt the ETag first
//     before calling Format.
//     S3 clients expect that the ETag of an SSE-S3 encrypted

}

// Returns the compressed offset which should be skipped.
// If encrypted offsets are adjusted for encrypted block headers/trailers.
// Since de-compression is after decryption encryption overhead is only added to compressedOffset.
func getCompressedOffsets(oi ObjectInfo, offset int64, decrypt func([]byte) ([]byte, error)) (compressedOffset int64, partSkip int64, firstPart int, decryptSkip int64, seqNum uint32) {