From: Carl Hetherington Date: Fri, 8 Jan 2016 10:54:20 +0000 (+0000) Subject: Various additions to the manual wrt encryption. X-Git-Tag: v2.6.15~10 X-Git-Url: https://git.carlh.net/gitweb/?p=dcpomatic.git;a=commitdiff_plain;h=9d82858f73679c9752e45ef632648e41d22ae864 Various additions to the manual wrt encryption. --- diff --git a/doc/manual/Makefile b/doc/manual/Makefile index ed7bf133f..8cf5e6e75 100644 --- a/doc/manual/Makefile +++ b/doc/manual/Makefile @@ -3,7 +3,8 @@ all: html pdf DIAGRAMS := file-structure.svg 3d-left-right.svg 3d-top-bottom.svg timecode.svg pipeline1.svg pipeline2.svg \ - pipeline3.svg pipeline4.svg burn-in.svg discrete.svg dcp-copy.svg dcp-refer.svg reels-by-video.svg + pipeline3.svg pipeline4.svg burn-in.svg discrete.svg dcp-copy.svg dcp-refer.svg reels-by-video.svg \ + crypt.svg SCREENSHOTS := file-new.png video-new-film.png still-new-film.png video-select-content-file.png \ still-select-content-file.png examine-thumbs.png examine-content.png timing-tab.png \ @@ -11,7 +12,8 @@ SCREENSHOTS := file-new.png video-new-film.png still-new-film.png video-select-c prefs-kdm-email.png prefs-colour-conversions.png prefs-metadata.png prefs-general.png prefs-tms.png \ prefs-advanced.png prefs-defaults.png prefs-servers.png prefs-keys.png \ making-dcp.png filters.png video-tab.png audio-tab.png subtitles-tab.png timing-tab.png \ - audio-plot.png audio-map-eg1.png audio-map-eg2.png audio-map-eg3.png kdm.png + audio-plot.png audio-map-eg1.png audio-map-eg2.png audio-map-eg3.png kdm.png \ + kdm-creator.png XML := dcpomatic.xml diff --git a/doc/manual/dcpomatic.xml b/doc/manual/dcpomatic.xml index 2a948d3a7..3a74341a1 100644 --- a/doc/manual/dcpomatic.xml +++ b/doc/manual/dcpomatic.xml @@ -1910,10 +1910,10 @@ those cinemas that are allowed to play the DCP. The first part is simple: ticking the Encrypted -box in the DCP tab of DCP-o-matic will encrypt -the DCP using a random key that DCP-o-matic generates. The key will -be written to the film's metadata file, which should be kept -secure. +box in the DCP tab will instruct DCP-o-matic to +encrypt the DCP that it makes using a random key that DCP-o-matic +generates. The key will be written to the film's metadata file, which +should be kept secure. @@ -1924,10 +1924,10 @@ is). -The second part is to generate KDMs for the cinemas that you wish to -allow to play your DCP. There are two approaches to this within -DCP-o-matic: using the project, or using a DKDM. These are now -described in turn. +The second part of distributions is to generate KDMs for the cinemas +that you wish to allow to play your DCP. There are two approaches to +this within DCP-o-matic: using the project, or using a DKDM. These +approaches are now described in turn.
@@ -1957,11 +1957,11 @@ available by the projector manufacturers as text files with a -DCP-o-matic can store these certificates to make life easier. It -stores details of cinemas and screens within those cinemas. Each -screen has a certificate for its projector (and optionally -certificates for other trusted devices, such as the sound processor). -DCP-o-matic can generate KDMs for any screens that it knows about. +DCP-o-matic can store these certificates along with details of their +cinemas and screens within those cinemas. Each screen has a +certificate for its projector (and optionally certificates for other +trusted devices, such as the sound processor). DCP-o-matic can +generate KDMs for any screens that it knows about. @@ -2035,7 +2035,7 @@ It can be inconvenient to need a whole DCP-o-matic project just to create KDMs for its film. Perhaps you want to archive the project to save space, or create KDMs on a different machine. In such situations it is easier to use a DKDM. This is a normal KDM, but instead of -begin targeted at a projection system (to allow it to decrypt the +being targeted at a projection system (to allow it to decrypt the content) it is targeted at a particular users's certificate. This means that the certificate owner can create new KDMs for other users. The DKDM holds everything that is required to create further KDMs. @@ -2059,10 +2059,59 @@ KDMs for anybody that requires them at short notice. To create a DKDM for DCP-o-matic, open your encrypted project and select Make DKDM for DCP-o-matic... from the Jobs menu. Select the CPL that you want to make -the DKDM for and choose where it should be written, then click -OK. +the DKDM for and click OK. This DKDM will then +be available in the KDM creator. This is a separate program which you +can start from the same place that you start the ‘Normal’ +DCP-o-matic. Its window is shown in . +
+ The KDM creator + + + + + +
+ + +To create KDMs, select the cinema(s) and/or screens that you want KDMs +to be created for, the date range, the DCP that the KDMs are for and +the destination for the KDMs and click Create +KDMs. + + + +By default the DKDM list will list any DCPs for +which you have clicked Make DKDM for +DCP-o-maticin the main DCP-o-matic program. If you have +other DKDMs you can add them by clicking Add... and +specifying the file containing the DKDM. + + + +If another organisation wants to send you a DKDM they will ask you for +a target certificate. You can get DCP-o-matic's target certificate by +opening Preferences and clicking Export +DCP decryption certificate... in the Keys +tab. + + + +
+ +
+Encryption overview + +
+ Overview of encryption + + + + + +
+
@@ -2283,7 +2332,7 @@ be used when targeting a KDM at DCP-o-matic. If you want to import an encrypted DCP you will need to give the decryption certificate to the distributor of the DCP so that they can generate a DKDM for you. You can save this certificate to disk by -clicking Export DCP decryption certificate. As +clicking Export DCP decryption certificate.... As with the signing chain, DCP-o-matic will create a certificate chain and private key for you. You can also choose to load your own certificates and key or re-make the chain and key with new, random diff --git a/doc/manual/diagrams/crypt.svg b/doc/manual/diagrams/crypt.svg new file mode 100644 index 000000000..7be04f6b6 --- /dev/null +++ b/doc/manual/diagrams/crypt.svg @@ -0,0 +1,1967 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + 1. CreateencryptedDCP + + + + + Picture + + + + Sound + + + + Subtitle + + + Encrypted DCP that no-oneelse can read. + + + + + + + + 2. Create (D)KDM + + + + + + + + + + + Encrypted key and detailsof the DCP. Key can onlybe decrypted by the private keyheld by the DKDM's recipient. + + DKDMrecipientcertificate + + + + + + + + + + + + + + + + + + + 3. Decrypt(D)KDM + 4. Make newKDM + + DKDMrecipientprivate key + + + + + + + + + + + + + + + + + + + + + + + + + + Picture + + + + Sound + + + + Subtitle + + + + Encrypt + Unencrypted data + Random key + + + + + KDMrecipient(projector)certificate + + + + + + + + + + + + + + + + + + + + + + + + + + KDMfor cinema + + + + + + + + Projectorprivate key + + + + + + + + + + + + + + + + + + + + + + + + + Play + + + + + 3. PlayDCP + + Encrypt + + Encrypt + + + Decrypt + + + Decrypt + + + Decrypt + + + + Data which mustbe kept secret + + Data which can be sent overpublic channels + + diff --git a/doc/manual/screenshots/kdm-creator.png b/doc/manual/screenshots/kdm-creator.png new file mode 100644 index 000000000..30a0d2a5e Binary files /dev/null and b/doc/manual/screenshots/kdm-creator.png differ