+If is fine if Mallory intercepts our email to Alice, since the only
+key which can decrypt the message is the private key buried inside
+Alice's projector. The projector manufacturer is very careful that
+no-one ever finds out what this key is. Our DCP is secure: only Alice
+can play it back, since only her projector knows the key (even Alice
+does not).
+</para>
+
+</section>
+</section>
+
+
+<!-- ============================================================== -->
+<section>
+<title>Encryption using DCP-o-matic</title>
+
+<para>
+There are two steps to distributing an encrypted DCP. First, the
+DCP's data must be encrypted, and secondly KDMs must be generated for
+those cinemas that are allowed to play the DCP.
+</para>
+
+<para>
+The first part is simple: ticking the <guilabel>Encrypted</guilabel>
+box in the <guilabel>DCP</guilabel> tab will instruct DCP-o-matic to
+encrypt the DCP that it makes using a random key that DCP-o-matic
+generates. The key will be written to the film's metadata file, which
+should be kept secure.
+</para>
+
+<para>
+A DCP that is generated with the <guilabel>Encrypted</guilabel> box
+ticked will not play on any projector as-is (it will be marked as
+‘locked’, or whatever the projector manufacturer's term
+is).
+</para>
+
+<para>
+The second part of distributions is to generate KDMs for the cinemas
+that you wish to allow to play your DCP. There are two approaches to
+this within DCP-o-matic: using the project, or using a DKDM. These
+approaches are now described in turn.
+</para>
+
+<section>
+<title>Creating KDMs from a DCP-o-matic project</title>
+
+<para>
+You can create KDMs from inside a DCP-o-matic project using the
+<guilabel>Make KDMs</guilabel> option on the <guilabel>Jobs</guilabel>
+menu. This will open the KDM dialogue box, as shown in <xref
+linkend="fig-kdm"/>.
+</para>
+
+<figure id="fig-kdm">
+ <title>KDM dialog</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata scale="35" fileref="screenshots/kdm&scs;"/>
+ </imageobject>
+ </mediaobject>
+</figure>
+
+<para>
+In order to generate KDMs for a particular projector, you need to know
+its <emphasis>certificate</emphasis>. These are usually made
+available by the projector manufacturers as text files with a
+<code>.pem</code> extension.
+</para>
+
+<para>
+DCP-o-matic can store these certificates along with details of their
+cinemas and screens within those cinemas. Each screen has a
+certificate for its projector (and optionally certificates for other
+trusted devices, such as the sound processor). DCP-o-matic can
+generate KDMs for any screens that it knows about.
+</para>
+
+<para>
+To add a cinema, click <guilabel>Add Cinema...</guilabel>. This opens
+a dialogue box into which you can enter the cinema's name, and
+optionally an email address. This email address can be used to
+get DCP-o-matic to deliver KDMs via email.
+</para>
+
+<para>
+Once you have added a cinema, select it by clicking on its name, then
+click <guilabel>Add Screen...</guilabel>. The resulting dialogue
+allows you to enter a name for the screen and load in its certificate
+from a file. The certificate should be in SHA256 PEM format.
+</para>
+
+<para>
+Alternatively, certificates for projection systems made by some
+manufacturers can be downloaded from databases provided by the
+manufacturer. Currently this is supported for Doremi and Dolby
+equipment. If you are targeting a screen with equipment by one of
+these manufacturers you can click <guilabel>Download</guilabel> then
+enter the serial number of the server in the screen and click
+<guilabel>Download</guilabel> again and, all being well, the certificate
+will be fetched.
+</para>
+
+<para>
+Using the download system you will need to know the serial number of
+the media server in use in the screen. Most cinema projection or
+technical departments will know these serial numbers.
+</para>
+
+<para>
+Note that the reliability of the manufacturers' certificate databases
+cannot be guaranteed. It is vital that KDMs are tested by the
+destination cinema will in advance of show time to identify any
+problems.
+</para>
+
+<para>
+Once you have set up all the screens that you need KDMs for, select
+the CPL that you want to create the KDM for. You can use the
+drop-down list to select the CPLs in the current film project, or load
+a CPL from somewhere else. Select the cinemas and/or screens that you
+want KDMs for and fill in the start and end dates and times.
+</para>
+
+<para>
+You must also select the type of KDM that you want to generate. If in
+doubt, use <guilabel>Modified Transitional 1</guilabel>.
+</para>
+
+<note>
+The differences between the three KDM types are fairly subtle.
+<guilabel>DCI Specific</guilabel> and <guilabel>DCI Any</guilabel> add
+a <code><ContentAuthenticator></code> tag to the KDM which
+allows the exhibitor to check that the DCP and KDM have come from a
+bona-fide source. In addition, <guilabel>DCI Specific</guilabel> adds
+information on trusted devices to the KDM. This allows the KDM
+creator to specify devices (such as sound processors) that are allowed
+to use keys delivered by the KDM. At present it is not clear how
+widely the <guilabel>DCI Specific</guilabel> and <guilabel>DCI
+Any</guilabel> features are supported (or even tolerated) by servers
+so you are advised to use <guilabel>Modified Transitional
+1</guilabel>.
+</note>
+
+<para>
+Finally, choose what you want to do with the KDMs. They can be
+written to disk, to a location that you can specify by clicking
+<guilabel>Browse</guilabel>. Alternatively, if you choose
+<guilabel>Send by email</guilabel> the KDMs will be zipped up and
+emailed to the appropriate cinema email addresses. Click
+<guilabel>Make KDMs</guilabel> to generate the KDMs.
+</para>
+
+</section>
+
+<section>
+<title>Creating KDMs using a DKDM</title>
+</section>
+
+<para>
+It can be inconvenient to need a whole DCP-o-matic project just to
+create KDMs for its film. Perhaps you want to archive the project to
+save space, or create KDMs on a different machine. In such situations
+it is easier to use a DKDM. This is a normal KDM, but instead of
+being targeted at a projection system (to allow it to decrypt the
+content) it is targeted at a particular user's certificate. This
+means that the certificate owner can create new KDMs for other users.
+The DKDM holds everything that is required to create further KDMs.
+</para>
+
+<para>
+Sometimes it is useful to create DKDMs that can be used by
+DCP-o-matic. If you create such a DKDM you can keep it and then, at
+any point in the future, use DCP-o-matic's standalone KDM creator to
+make KDMs for the DKDM's film for any cinema.
+</para>
+
+<para>
+In other cases a DKDM is sent to a 3rd party so that they can create
+KDMs for your films. This can be useful if, for example, you have a
+distributor who provides 24-hour KDM support to cinemas and can create
+KDMs for anybody that requires them at short notice.
+</para>
+
+<para>
+To create a DKDM for DCP-o-matic, open your encrypted project and
+select <guilabel>Make DKDM for DCP-o-matic...</guilabel> from the
+<guilabel>Jobs</guilabel> menu. Select the CPL that you want to make
+the DKDM for and click <guilabel>OK</guilabel>. This DKDM will then
+be available in the KDM creator. This is a separate program which you
+can start from the same place that you start the ‘normal’
+DCP-o-matic. Its window is shown in <xref linkend="fig-kdm-creator"/>.
+</para>
+
+<figure id="fig-kdm-creator">
+ <title>The KDM creator</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata scale="30" fileref="screenshots/kdm-creator&scs;"/>
+ </imageobject>
+ </mediaobject>
+</figure>
+
+<para>
+To create KDMs, select the cinema(s) and/or screens that you want KDMs
+to be created for, the date range, the DCP that the KDMs are for and
+the destination for the KDMs and click <guilabel>Create
+KDMs</guilabel>.
+</para>
+
+<para>
+By default the <guilabel>DKDM</guilabel> list will list any DCPs for
+which you have clicked <guilabel>Make DKDM for
+DCP-o-matic</guilabel>in the main DCP-o-matic program. If you have
+other DKDMs you can add them by clicking <guilabel>Add...</guilabel> and
+specifying the file containing the DKDM.
+</para>
+
+<para>
+If another organisation wants to send you a DKDM they will ask you for
+a target certificate. You can get DCP-o-matic's target certificate by
+opening <guilabel>Preferences</guilabel> and clicking <guilabel>Export
+DCP decryption certificate...</guilabel> in the <guilabel>Keys</guilabel>
+tab.
+
+</para>
+
+</section>
+
+<section>
+<title>Encryption keys</title>
+
+<para>
+ You must be careful when using encryption not to lose important keys.
+</para>
+
+<para>
+If you are making KDMs from a DCP-o-matic film you
+<emphasis>must</emphasis> ensure that you have a backup of the
+<code>metadata.xml</code> file from the project, as well as the DCP
+itself.
+</para>
+
+<para>
+If you are using a DKDM you <emphasis>must</emphasis> ensure that you
+have a backup of DCP-o-matic's <code>config.xml</code> file, since it
+contains the only key which can decrypt the DKDM. The
+<code>config.xml</code> file location depends on your operating
+system; possible locations are listed in <xref linkend="ch-config"/>
+</para>
+
+</section>
+
+<section>
+<title>Encryption overview</title>
+
+<figure id="fig-encryption-overview">
+ <title>Overview of encryption</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="diagrams/crypt&dia;"/>
+ </imageobject>
+ </mediaobject>
+</figure>
+
+</section>
+</chapter>
+
+
+
+<!-- ============================================================== -->
+<chapter xml:id="ch-preferences" xmlns="http://docbook.org/ns/docbook" version="5.0" xml:lang="en">
+<title>Preferences</title>
+
+<para>
+DCP-o-matic provides preferences which can be used to modify its
+behaviour. They are described in this chapter.
+</para>
+
+<para>
+Preferences can be edited by choosing
+<guilabel>Preferences...</guilabel> from the <guilabel>Edit</guilabel>
+menu. This opens a dialogue which is split into seven tabs.
+</para>
+
+<!-- ============================================================== -->
+<section>
+<title>General</title>
+
+<para>
+The general tab is shown in <xref linkend="fig-prefs-general"/>.
+</para>
+
+<figure id="fig-prefs-general">
+ <title>General preferences</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="screenshots/prefs-general&scs;"/>
+ </imageobject>
+ </mediaobject>
+</figure>
+
+
+<!-- ============================================================== -->
+<section>
+<title>Language</title>
+
+<para>
+If you tick the <guilabel>Set Language</guilabel> checkbox and choose
+a language from the list, that language will be used for DCP-o-matic.
+You will need to restart DCP-o-matic to see the new language.
+</para>
+
+<para>
+The translations for DCP-o-matic have been contributed by helpful
+users. If your language is not on the last, head to <ulink
+url="http://dcpomatic.com/i18n.php">the DCP-o-matic website</ulink> to
+read about how to contribute a translation.
+</para>
+</section>
+
+
+<!-- ============================================================== -->
+<section>
+<title>Number of threads DCP-o-matic should use</title>
+
+<para>
+When DCP-o-matic is encoding DCPs it can use multiple parallel threads
+to speed things up. Set this value to the number of threads
+DCP-o-matic should use. This should normally be the number of
+processors (or processor cores) in your machine. DCP-o-matic will try
+to set this up correctly when you run it for the first time.
+</para>
+
+</section>
+
+
+<!-- ============================================================== -->
+<section>
+<title>Number of threads DCP-o-matic encode server should use</title>
+
+<para>
+This is the number of threads that the encode server should use when
+it is running and helping another copy of DCP-o-matic to speed up its
+encode.
+</para>
+
+</section>
+
+
+<!-- ============================================================== -->
+<section>
+<title>Configuration file</title>
+
+<para>
+This is the location of DCP-o-matic's configuration file on disk. You
+can use this to share configuration between several copies of
+DCP-o-matic, across a network share, for instance.
+</para>
+</section>
+
+<!-- ============================================================== -->
+<section>
+<title>Cinema and screen database file</title>
+
+<para>
+This option allows you to change the file that DCP-o-matic uses to
+store details of the cinemas and screens used to make KDMs.
+</para>
+</section>
+
+
+<!-- ============================================================== -->
+<section>
+<title>Play sound via</title>
+
+<para>
+The checkbox to the left of <guilabel>Play sound</guilabel> enables or
+disables DCP-o-matic use of sound. On some machines there will be
+multiple options in the drop-down menu to decide how the sound should
+be played.
+</para>
+</section>
+
+<!-- ============================================================== -->
+<section>
+<title>Integrated loudness</title>
+
+<para>
+If <guilabel>Find integrated loudness, true peak and loudness range
+when analysing audio</guilabel> is ticked, DCP-o-matic will do extra
+work when analysing audio. Leave this ticked if the extra parameters
+are useful to you. If not, untick it and audio analysis will be
+faster.
+</para>
+
+</section>
+
+<!-- ============================================================== -->
+<section>
+<title>Automatically analyse content audio</title>
+
+<para>
+If this checkbox is ticked an audio analysis will be run whenever content is added that contains sound.
+</para>
+</section>
+
+<!-- ============================================================== -->
+<section>
+<title>Updates</title>
+
+<para>
+The <guilabel>Check for updates on startup</guilabel> option, if
+enabled, will tell DCP-o-matic to check on <ulink
+url="http://dcpomatic.com/">dcpomatic.com</ulink> to see if there any
+newer versions of DCP-o-matic then the one you are running. If so, a
+dialogue box will open with a link to download the new version.
+available
+</para>
+
+<para>
+The <guilabel>Check for testing updates as well as stable
+ones</guilabel> option will also check for test updates as well as
+those that are formally ‘released’. This is useful if you
+like to live on the bleeding edge!
+</para>
+</section>
+
+<!-- ============================================================== -->
+<section>
+<title>Issuer and creator</title>
+
+<para>
+With these controls you can set the issuer and creator strings that
+will be put into the DCPs which you create.
+</para>
+</section>
+
+</section>
+
+<!-- ============================================================== -->
+<section>
+<title>Defaults</title>
+
+<para>
+The defaults tab is shown in <xref linkend="fig-prefs-defaults"/>.
+</para>
+
+<figure id="fig-prefs-defaults">
+ <title>Defaults preferences</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="screenshots/prefs-defaults&scs;"/>
+ </imageobject>
+ </mediaobject>
+</figure>
+
+<para>
+The options in this tab simply allow you to set up default values for
+various properties of new films.