DCP-o-matic

Hi,

I've made a decent number of DCPs now but to date they've all been unencrpyted. Pretty soon I am going to need to make one for a distributor who (understandably) requires it to be encrypted. Given they will be the ones that will deal directly with cinemas, I'm assuming that they (or an appointed agent) will be responsible for making KDMs.

I'm assuming that it's not simply a case of ticking the 'encrypted' option when making the DCP and that I'll need something from the distributor in order to make one that they can later generate KDMs?

The distributor needs to have their own KDM distribution system (it could be their own DCP-o-matic installation/KDM creator, or any other suitable software). This system must be able to export a certificate (.pem file) which they will have to send to you. You need to import this .pem file into your DCP-o-matic installation. From then on, you are able to create (D)KDMs for THEIR system. These DKDMs then allow them to create further KDMs towards cinema screens.

Once you start creating encrypted DCPs, you have to keep a special discipline maintaining your own certs and keys. They are part of the DCP-o-matic prefs. DCP-o-matic will give you some hints when enabling encryption.

I suggest to always start with the latest stable release (2.14.x currently). For the first time you create an encrypted DCP, first go to 'Preferences'-> 'Keys'->'Advanced'->'Remake certificates and key', to recreate all keys and certs once. This is to make sure you have a clean start. Make sure your computer is on current date at least.

Then, restart DCP-o-matic and immediately backup your certs and keys, individually from within DCP-o-matic (name them in a useful way), and additionally, create a full backup of your prefs folder (this is the easiest way to backup your certs). e.g. you can right-click on your DCP-o-matic prefs/settings folder and choose 'Send to compressed (ZIP) folder' (WIN) or 'Archive' (Mac), or whatever Linux offers you. Then store away this ZIP to a (better multiple) safe place. This will allow you to recreate your config easily in the future (e.g. after a fresh DCP-o-matic installation, disc crash, etc.).
I usually rename this Backup ZIP by adding the DCP-o-matic version number to it, so I may end up with a couple of backups over time. (e.g. dcpomatic_2_14_26.zip). This could become handy if prefs don't survive and update, or you need to supply a specific prefs file to a specific installation. I am just overcautious here, but, it costs you nothing.

https://dcpomatic.com/manual/html/ch19.html


Also, for every feature you create encrypted, you should always and immediately create a DKDM for your own installation (under 'Jobs'-> 'Make DKDM for DCP-o-matic...') . That will allow you to create new (D)KDMs even if your DCP project files are lost/deleted. These DKDMs are stored within those mentioned prefs that you will hopefully backup regularly.


- Carsten

Thank you so much for such a detailed reply, Carsten!

So, do I need this certificate before I make the encrypted DCP or only at the point of making the DKDM?

You can create THEIR DKDM later at any time - but until then, you need to keep the project folder and encrypted DCP within, or, create your own local DKDM immediately. Better, both.

Wondering wether we should have an option in DCP-o-matic to automatically create a local DKDM whenever an encrypted DCP/CPL is finished?

- Carsten

Hi, I'm just new to DCP-O-Matic. What I need is to do is to produce DKDM's that someone else can use to produce KDMs. I understand the priciples. The one thing I cannot find is where and how to import the certificate from the KDP producing party. I see how to import the .dom file. But I see different ways to import the .pem file needed for the DKDP production,

Can somebody help me?

The user interface for this task is a bit clumsy. The trick is to create a cinema and a screen in the KDM dialog, then import the recipient's certificate to the screen. Then you can create KDMs for this "screen" and they will be readable by party that will make more KDMs.

Yup. Don't go to prefs and mess with the certs there - these are for YOUR DCP-o-matic certs. For using external certs, you need to go to the KDM creation dialog and create a 'screen' for their KDM system. They will need to send you their system cert (leaf cert), and you need to import it in .PEM format into the cinema/screen setup. A DKDM for KDM creation/authoring technically is the same as a KDM for screen/cinema presentation. That's why both can be created in the KDM creation dialog.

Alright, helpfull. Maybe good to add this somehow to the manuals.

Many thanks.