nameBuilder.append('/');
                    }
                }
                this.serverPrincipalName = nameBuilder.toString();
                break;
            case 3:// Encrypted part
                ASN1Sequence encSequence = ASN1Util.as(ASN1Sequence.class, tagged);
                ASN1Integer encType = ASN1Util.as(ASN1Integer.class, ASN1Util.as(ASN1TaggedObject.class, encSequence, 0));

          "x-amz-restore": "ongoing-request=false, expiry-date=Sat, 27 Feb 2021 00:00:00 GMT",
...
```

### Encrypted/Object locked objects

func (b *BucketMetadata) migrateTargetConfig(ctx context.Context, objectAPI ObjectLayer) error {
	var err error
	// early return if no targets or already encrypted
	if len(b.BucketTargetsConfigJSON) == 0 || GlobalKMS == nil || len(b.BucketTargetsConfigMetaJSON) != 0 {
		return nil
	}

	// Use the maximum parity (N/2), used when saving server configuration files
	MaxParity bool

	// Provides a per object encryption function, allowing metadata encryption.
	EncryptFn objectMetaEncryptFn

	// SkipDecommissioned set to 'true' if the call requires skipping the pool being decommissioned.
	// mainly set for certain WRITE operations.
	SkipDecommissioned bool

        // This is a simplified test and does not use real encrypted data from Kerberos
        // It mainly tests the decryption logic path
        Key key = new KerberosKey(null, new byte[16], KerberosConstants.RC4_ENC_TYPE, 0);
        byte[] data = new byte[32]; // Dummy data
        // The test will likely fail with "Checksum failed" as the data is not properly encrypted
        // but it proves the decryption path is taken.

			if _, ok := object.UserMetadata["X-Amz-Server-Side-Encryption-Customer-Algorithm"]; ok {
				log.Println("SKIPPED: Objects encrypted with SSE-C do not have md5sum as ETag:", objFullPath(object))
				continue
			}
			if v, ok := object.UserMetadata["X-Amz-Server-Side-Encryption"]; ok && v == "aws:kms" {
				log.Println("SKIPPED: encrypted with SSE-KMS do not have md5sum as ETag:", objFullPath(object))
				continue
			}
			parts := 1

test-decom: install-race
	@echo "Running minio decom tests"
	@env bash $(PWD)/docs/distributed/decom.sh
	@env bash $(PWD)/docs/distributed/decom-encrypted.sh
	@env bash $(PWD)/docs/distributed/decom-encrypted-sse-s3.sh
	@env bash $(PWD)/docs/distributed/decom-compressed-sse-s3.sh
	@env bash $(PWD)/docs/distributed/decom-encrypted-kes.sh

test-versioning: install-race
	@echo "Running minio versioning tests"

	exit_1
fi

echo "Set default encryption on "

# test if checksum header is replicated for encrypted objects
# Enable SSE KMS for test-bucket bucket
./mc encrypt set sse-kms minio-default-key minio1/test-bucket --insecure

# Load objects to source site with checksum header
echo "Loading objects to source MinIO instance"

        ByteBuffer buffer = ByteBuffer.allocate(34);
        buffer.order(ByteOrder.LITTLE_ENDIAN);
        buffer.putShort((short) 0); // dialectIndex
        buffer.put((byte) 0x0F); // securityMode (user, encrypted, sigs enabled, sigs required)
        buffer.putShort((short) 50); // maxMpxCount
        buffer.putShort((short) 10); // maxNumberVcs
        buffer.putInt(8192); // maxBufferSize
        buffer.putInt(65536); // maxRawSize

s3.meta.client.upload_file('/etc/hosts',
                           'testbucket',
                           'hosts',
                           ExtraArgs={'ServerSideEncryption': 'AES256'})

# Download encrypted object using temporary credentials