Could not decrypt KDM

[rahmani]

Today updated with 2.11.24 version but I have got an error for decrypting my KDM here it is the message I have got it is the same for all previous films!

error for 2.11.24.jpg

[Carsten]

Which version did you use before?

- Carsten

[rahmani]

Thank you for your reply, I used 2.11.22 I always upgrade with the new(test) versions.
Soleyman

[Carsten]

Not a good idea if you work with encrypted content. Is that Linux? I would first backup all settings/certs/cinemas into a folder '2_11_24' - then go back to 2_11_22 for a test.

It is also a good idea to create individual file backups of all your certs/keys. These will never change and can always be reimported into any (functioning) new version. Yes, the same SHOULD be true for the config, but it's better to keep them safe as individual files as well.

Maybe Carl has an idea wether it's an issue in the code or the config.

- Carsten

[rahmani]

Thanks for your description. I work with windows 10. Is there a relation between keys before remake(in older version) and after remake in new DOM version?
I have re-made the keys decryption once.

Soleyman

[Carsten]

There should be no difference between the certificates and keys stored in the config before/after an upgrade. However, sometimes something MAY go wrong.

If you remake the keys/certificates without having a backup of the previous ones - all your encrypted KDMs become useless, and encrypted DCPs as well if you don't have the project files saved.

- Carsten

[scozz76]

I always backup the two files (cinemas.xml and config.xml) in the "C:\Users\<username>\AppData\Local\dcpomatic2" folder. This allows me to import them into any machine that has DCP-O-Matic installed in the default config - manually editing the xml files may be required to point the software in the right direction.

I also export all decrypting and signing keys and label them appropriately.

As extra safety I run a weekly automatic backup of my system drive.

[Carsten]

It may occur that at some time, the DCP-o-matic config becomes invalid, or is rejected by a new test version, or after going back from a test to a release version. It shouldn't happen, but in the world of software, everything is possible. If that, for some reason, happens unnoticed, you may think you are working with your existing keys/certs, but in fact, you are no longer. It is probably wise, once you started doing encrypted DCPs and KDMs and thus settled on your certs and keys, to not only backup your config and individual certs and keys, but also create an encrypted Test-DCP and KDM (and screen) for your own DCP-o-matic installation. This could be simply a chart from a still writing 'Decryption Works, cert/key set 9/10/2017'. Whenever you think there is something wrong, load this DCP and KDM into your DOM installation to see if it still works. This is the most basic test to show that everything is still all right. This is also the way to go if you want to transfer your config to a new machine and find out wether it still works.

Making an encrypted DCP and KDM for your own DOM installation is the first step to really understand how encryption works.

- Carsten

[scozz76]

No problems here with the latest test version and KDM's.