Encryption using DCP-o-matic

There are two steps to distributing an encrypted DCP. First, the DCP's data must be encrypted, and secondly KDMs must be generated for those cinemas that are allowed to play the DCP.

The first part is simple: ticking the Encrypted box in the DCP tab will instruct DCP-o-matic to encrypt the DCP that it makes using a random key that DCP-o-matic generates. The key will be written to the film's metadata file, which should be kept secure.

A DCP that is generated with the Encrypted box ticked will not play on any projector as-is (it will be marked as ‘locked’, or whatever the projector manufacturer's term is).

The second stage of distribution is to generate KDMs for the cinemas that you wish to allow to play your DCP. There are two approaches to this within DCP-o-matic: using the project, or using a DKDM. These approaches are now described in turn.

Creating KDMs from a DCP-o-matic project

You can create KDMs from inside a DCP-o-matic project using the Make KDMs option on the Jobs menu. This will open the KDM dialogue box, as shown in Figure 10.1, “KDM dialog”.

Figure 10.1. KDM dialog

KDM dialog

In order to generate KDMs for a particular projector, you need to know its certificate. These are usually made available by the projector manufacturers as text files with a .pem extension.

DCP-o-matic can store these certificates along with details of their cinemas and screens within those cinemas. Each screen has a certificate for its projector (and optionally certificates for other trusted devices, such as the sound processor). DCP-o-matic can generate KDMs for any screens that it knows about.

To add a cinema, click Add Cinema.... This opens a dialogue box into which you can enter the cinema's name, and optionally an email address. This email address can be used to get DCP-o-matic to deliver KDMs via email.

Once you have added a cinema, select it by clicking on its name, then click Add Screen.... The resulting dialogue allows you to enter a name for the screen and load in its certificate from a file. The certificate should be in SHA256 PEM format.

Alternatively, certificates for projection systems made by some manufacturers can be downloaded from databases provided by the manufacturer. Currently this is supported for Doremi, Dolby, Barco, Christie and GDC equipment (through downloading Barco, Christie or GDC certificates requires you to have an appropriate account set up in DCP-o-matic's preferences). If you are targeting a screen with equipment by one of these manufacturers you can click Download then enter the serial number of the server in the screen and click Download again and, all being well, the certificate will be fetched. Most cinema projection or technical departments will know these serial numbers.

Note that the reliability of the manufacturers' certificate databases cannot be guaranteed. It is vital that KDMs are tested by the destination cinema will in advance of show time to identify any problems.

Once you have set up all the screens that you need KDMs for, select the CPL that you want to create the KDM for. You can use the drop-down list to select the CPLs in the current film project, or load a CPL from somewhere else. Select the cinemas and/or screens that you want KDMs for and fill in the start and end dates and times.

You must also select the type of KDM that you want to generate. If in doubt, use Modified Transitional 1.

The differences between the three KDM types are fairly subtle. DCI Specific and DCI Any add a <ContentAuthenticator> tag to the KDM which allows the exhibitor to check that the DCP and KDM have come from a bona-fide source. In addition, DCI Specific adds information on trusted devices to the KDM. This allows the KDM creator to specify devices (such as sound processors) that are allowed to use keys delivered by the KDM. At present it is not clear how widely the DCI Specific and DCI Any features are supported (or even tolerated) by servers so you are advised to use Modified Transitional 1.

Finally, choose what you want to do with the KDMs. They can be written to disk, to a location that you can specify by clicking Browse. Alternatively, if you choose Send by email the KDMs will be zipped up and emailed to the appropriate cinema email addresses. Click Make KDMs to generate the KDMs.

Creating KDMs using a DKDM

It can be inconvenient to need a whole DCP-o-matic project just to create KDMs for its film. Perhaps you want to archive the project to save space, or create KDMs on a different machine. In such situations it is easier to use a DKDM. This is a normal KDM, but instead of being targeted at a projection system (to allow it to decrypt the content) it is targeted at a particular user's certificate. This means that the certificate owner can create new KDMs for other users. The DKDM holds everything that is required to create further KDMs.

Sometimes it is useful to create DKDMs that can be used by DCP-o-matic. If you create such a DKDM you can keep it and then, at any point in the future, use DCP-o-matic's standalone KDM creator to make KDMs for the DKDM's film for any cinema.

In other cases a DKDM is sent to a third party so that they can create KDMs for your films. This can be useful if, for example, you have a distributor who provides 24-hour KDM support to cinemas and can create KDMs for anybody that requires them at short notice.

To create a DKDM for DCP-o-matic, open your encrypted project and select Make DKDM for DCP-o-matic... from the Jobs menu. Select the CPL that you want to make the DKDM for and click OK. This DKDM will then be available in the KDM creator. This is a separate program which you can start from the same place that you start the ‘normal’ DCP-o-matic. Its window is shown in Figure 10.2, “The KDM creator”.

Figure 10.2. The KDM creator

The KDM creator

To create KDMs, select the cinema(s) and/or screens that you want KDMs to be created for, the date range, the DCP that the KDMs are for and the destination for the KDMs and click Create KDMs.

By default the DKDM list will list any DCPs for which you have clicked Make DKDM for DCP-o-matic in the main DCP-o-matic program. If you have other DKDMs you can add them by clicking Add... and specifying the file containing the DKDM.

If another organisation wants to send you a DKDM they will ask you for a target certificate. You can get DCP-o-matic's target certificate by opening Preferences and clicking Export DCP decryption certificate... in the Keys tab.

Creating KDMs for a distributor

Sometimes you have an encrypted DCP and you want to allow somebody else (for example, a distributor) to make KDMs for the DCP on your behalf.

The normal way to do this is to send the distributor a KDM which they can use with their own KDM creation system. Such a KDM is often called a DKDM (the ‘D’ stands for Distribution). It is the same as a normal KDM except that it is made to work with another computer, rather than with a projection system.

To make a DKDM for a distributor you will first need to ask them to send you a decryption certificate. This should be a small file, usually with the extension .pem.

Once you have the certificate, you will need to add a ‘fake’ cinema and screen to the list in DCP-o-matic. This is because making a KDM for another computer uses the same process internally as making one for a projection system, it's just that DCP-o-matic does not have a nice way to present that.

In either the KDM window in the main DCP-o-matic, or the KDM creator, first add a new cinema by clicking Add Cinema..., giving it a name (perhaps the name of the distributor).

Then select this new cinema and click Add Screen... to open the screen dialog box, as shown in Figure 10.3, “Adding a screen”.

Figure 10.3. Adding a screen

Adding a screen

Here you can give any name (perhaps just ‘DKDM’). Then click Get from file... and choose the certificate file that the distributor gave you. Finally, click OK.

Now you can create a KDM for this screen, and send it to the distributor. Using that KDM the distributor can then make KDMs for your DCP for anybody (and also, of course, decrypt the DCP if they wanted to).