try {
                    if (securityDispatcher.isLegacyEncryptedString(password)) {
                        problems.add(new DefaultSettingsProblem(
                                "Pre-Maven 4 legacy encrypted password detected for server " + server.getId()
                                        + " - configure password encryption with the help of mvnenc to be compatible with Maven 4.",
                                Severity.WARNING,

Bag Attributes
    friendlyName: test-client
    localKeyID: 54 69 6D 65 20 31 36 31 30 35 34 37 32 31 38 33 33 39 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIV/BaQuOROI8CAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECDimqPUDaqRVBIIEyBNPeVp351IS
v8s0Jscjmh/PkXe6Zb4etlvhOMbTrLdsUiXYaPaX+pwNDo61D3LR3UTz1Yt9MaIM
hgbClVQo2WhEIywJcaloEccxZ2mkP0ZWGVvm3NqfGD5ruevRxra9fvrQcpr81Sro

```

```
mc stat myminio/bucket/test.file
Name      : test.file
...
Encrypted :
  X-Amz-Server-Side-Encryption: AES256
```

## Encrypted Private Key

MinIO supports encrypted KES client private keys. Therefore, you can use
an password-protected private keys for `MINIO_KMS_KES_KEY_FILE`.

Bag Attributes
    friendlyName: test-node
    localKeyID: 54 69 6D 65 20 31 36 31 30 35 34 37 34 31 31 36 37 37 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIjQ0GSNxFPlcCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEhMiHamDL3EBIIEyDhQlJjJhfPN
Tve2KwhJsADvo6POTXw0tJzTKCHek7iYLcsMK7EQhH3fLRkYDCOufBIZEgqxxCiH
l3q89eg5qd4lqne4yTW5SYLVW+L6xnE5FpacpfLCWWm4LmZlg3BynDZykG/cDHS8

    val param: String?,
  ) {
    enum class Type {
      Handshake,
      Plaintext,
      Encrypted,
      Setup,
      Unknown,
    }

    val type: Type
      get() =
        when {
          message == "adding as trusted certificates" -> Type.Setup
          message == "Raw read" || message == "Raw write" -> Type.Encrypted

	"X-Minio-Internal-Server-Side-Encryption-Iv":             "X-Minio-Replication-Server-Side-Encryption-Iv",
	"X-Minio-Internal-Encrypted-Multipart":                   "X-Minio-Replication-Encrypted-Multipart",
	"X-Minio-Internal-Actual-Object-Size":                    "X-Minio-Replication-Actual-Object-Size",
	// Add more supported headers here.
}

        deleteUserCodeFromCookie(request);
        return userCode;
    }

    /**
     * Creates an encrypted user code from a user ID.
     * The user ID is encrypted using the primary cipher and validated against the configuration.
     *
     * @param userCode the raw user ID to encrypt
     * @return the encrypted and validated user code, or null if invalid
     */
    protected String createUserCodeFromUserId(String userCode) {

        // Then encrypt
        String encrypted = ParameterUtil.encrypt(originalParams);
        assertTrue(encrypted.contains("password={cipher}"));
        assertTrue(encrypted.contains("config.timeout=30"));

        // Then create config map
        Map<ConfigName, Map<String, String>> configMap = ParameterUtil.createConfigParameterMap(encrypted);

## FAQ

> Why is this change needed?

Before, there were two separate mechanisms - S3 objects got encrypted using a KMS,
if present, and the IAM / configuration data got encrypted with the root credentials.
Now, MinIO encrypts IAM / configuration and S3 objects with a KMS, if present. This
change unified the key-management aspect within MinIO.

        // Then
        assertEquals(52, headerSize); // SMB2 Transform Header is 52 bytes
    }

    // Note: SMB2 Transform Header doesn't have a protocol ID field
    // The protocol ID is part of the encrypted SMB2 message, not the transform header

    @Test
    @DisplayName("Should set and get signature")
    void testSignature() {
        // Given
        byte[] signature = new byte[16];