+<para>
+The clever bit in DCP encryption requires the use of public-key
+encryption. With this technique we can encrypt a block of data using
+some ‘public’ key. That data can then only be decrypted
+using a <emphasis>different</emphasis> ‘private’ key. The
+private and public keys are related mathematically, but it is
+extremely hard (or rather, virtually impossible) to derive the private
+key from the public key.
+</para>
+
+<para>
+Public-key encryption allows us to distribute the DCP's key to Alice
+securely. The manufacturer of Alice's projector generates a public
+and private key. They hide the private key deep inside the bowels of
+the projector (inside an integrated circuit) where no-one can read it.
+They then make the public key available to anyone who is interested.
+</para>
+
+<para>
+We take our DCP's symmetric key and encrypt it using the public key of
+Alice's projector. We send the result to Alice over email (using a
+format called a Key Delivery Message, or KDM). Her projector then
+decrypts our message using its private key, yielding the magic
+symmetric key which can decrypt the DCP.
+</para>
+
+<para>
+If is fine if Mallory intercepts our email to Alice, since the only
+key which can decrypt the message is the private key buried inside
+Alice's projector. The projector manufacturer is very careful that
+no-one ever finds out what this key is. Our DCP is secure: only Alice
+can play it back, since only her projector knows the key (even Alice
+does not).
+</para>
+
+</section>
+</section>
+
+<section>
+<title>Encryption using DCP-o-matic</title>
+
+<para>
+There are two steps to distributing an encrypted DCP. First, the
+DCP's data must be encrypted, and secondly KDMs must be generated for
+those cinemas that are allowed to play the DCP.
+</para>
+
+<para>
+The first part is simple: ticking the <guilabel>Encrypted</guilabel>
+box in the <guilabel>DCP</guilabel> tab of DCP-o-matic will encrypt
+the DCP using a random key that DCP-o-matic generates. The key will
+be written to the film's metadata file, so that should be kept
+secure.
+</para>
+
+<para>
+A DCP that is generated with the <guilabel>Encrypted</guilabel> box
+ticked will not play on any projector as-is (it will be marked as
+‘locked’, or whatever the projector manufacturer's term
+is).
+</para>
+
+<para>
+The second part is to generate KDMs for the cinemas that you wish to
+allow to play your DCP. This is done using the <guilabel>Make
+KDMs</guilabel> option on the <guilabel>Jobs</guilabel> menu. This
+will open the KDM dialogue box, as shown in <xref linkend="fig-kdm"/>.
+</para>
+
+<figure id="fig-kdm">
+ <title>KDM dialog</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="screenshots/kdm&scs;"/>
+ </imageobject>
+ </mediaobject>
+</figure>
+
+<para>
+In order to generate KDMs for a particular projector, you need to know
+its <emphasis>certificate</emphasis>. These are usually made
+available by the projector manufacturers as text files with a
+<code>.pem</code> extension.
+</para>
+
+<para>
+DCP-o-matic can store these certificates to make life easier. It
+stores details of cinemas and screens within those cinemas. Each
+screen has a certificate for its projector. DCP-o-matic can generate
+KDMs for any screens that it knows about.
+</para>
+
+<para>
+To add a cinema, click <guilabel>Add Cinema...</guilabel>. This opens
+a dialogue box into which you can enter the cinema's name, and
+optionally an email address. This email address can be used to
+get DCP-o-matic to deliver KDMs via email, but it is optional.
+</para>
+
+<para>
+Once you have added a cinema, select it by clicking on its name, then
+click <guilabel>Add Screen...</guilabel>. The resulting dialogue
+allows you to enter a name for the screen and load in its certificate
+from a file. The certificate should be in SHA256 PEM format.
+</para>
+
+<para>
+Once you have set up all the screens that you need KDMs for,
+DCP-o-matic can generate KDMs for the last DCP that you generated for
+the currently-loaded film. Select the cinemas and/or screens that you
+want KDMs for and fill in the start and end dates and times.
+</para>
+
+<para>
+Finally, choose what you want to do with the KDMs. They can be
+written to disk, to a location that you can specify by clicking
+<guilabel>Browse</guilabel>. Alternatively, if you choose
+<guilabel>Send by email</guilabel> the KDMs will be zipped up and
+emailed to the appropriate cinema email addresses. Click OK to
+generate the KDMs.
+</para>
+
+</section>
+