1 files changed, 12 insertions, 2 deletions

diff --git a/weed/s3api/s3_sse_s3.go b/weed/s3api/s3_sse_s3.go
index bc648205e..22292bb9b 100644
--- a/weed/s3api/s3_sse_s3.go
+++ b/weed/s3api/s3_sse_s3.go
@@ -109,8 +109,17 @@ func CreateSSES3DecryptedReader(reader io.Reader, key *SSES3Key, iv []byte) (io.
 
 	// Create CTR mode cipher with the provided IV
 	stream := cipher.NewCTR(block, iv)
+	decryptReader := &cipher.StreamReader{S: stream, R: reader}
 
-	return &cipher.StreamReader{S: stream, R: reader}, nil
+	// Wrap with closer if the underlying reader implements io.Closer
+	if closer, ok := reader.(io.Closer); ok {
+		return &decryptReaderCloser{
+			Reader:           decryptReader,
+			underlyingCloser: closer,
+		}, nil
+	}
+
+	return decryptReader, nil
 }
 
 // GetSSES3Headers returns the headers for SSE-S3 encrypted objects
@@ -531,7 +540,8 @@ func CreateSSES3EncryptedReaderWithBaseIV(reader io.Reader, key *SSES3Key, baseI
 
 	// Calculate the proper IV with offset to ensure unique IV per chunk/part
 	// This prevents the severe security vulnerability of IV reuse in CTR mode
-	iv := calculateIVWithOffset(baseIV, offset)
+	// Skip is not used here because we're encrypting from the start (not reading a range)
+	iv, _ := calculateIVWithOffset(baseIV, offset)
 
 	stream := cipher.NewCTR(block, iv)
 	encryptedReader := &cipher.StreamReader{S: stream, R: reader}