<para>
The first part is simple: ticking the <guilabel>Encrypted</guilabel>
-box in the <guilabel>DCP</guilabel> tab of DCP-o-matic will encrypt
-the DCP using a random key that DCP-o-matic generates. The key will
-be written to the film's metadata file, which should be kept
-secure.
+box in the <guilabel>DCP</guilabel> tab will instruct DCP-o-matic to
+encrypt the DCP that it makes using a random key that DCP-o-matic
+generates. The key will be written to the film's metadata file, which
+should be kept secure.
</para>
<para>
</para>
<para>
-The second part is to generate KDMs for the cinemas that you wish to
-allow to play your DCP. There are two approaches to this within
-DCP-o-matic: using the project, or using a DKDM. These are now
-described in turn.
+The second part of distributions is to generate KDMs for the cinemas
+that you wish to allow to play your DCP. There are two approaches to
+this within DCP-o-matic: using the project, or using a DKDM. These
+approaches are now described in turn.
</para>
<section>
</para>
<para>
-DCP-o-matic can store these certificates to make life easier. It
-stores details of cinemas and screens within those cinemas. Each
-screen has a certificate for its projector (and optionally
-certificates for other trusted devices, such as the sound processor).
-DCP-o-matic can generate KDMs for any screens that it knows about.
+DCP-o-matic can store these certificates along with details of their
+cinemas and screens within those cinemas. Each screen has a
+certificate for its projector (and optionally certificates for other
+trusted devices, such as the sound processor). DCP-o-matic can
+generate KDMs for any screens that it knows about.
</para>
<para>
create KDMs for its film. Perhaps you want to archive the project to
save space, or create KDMs on a different machine. In such situations
it is easier to use a DKDM. This is a normal KDM, but instead of
-begin targeted at a projection system (to allow it to decrypt the
+being targeted at a projection system (to allow it to decrypt the
content) it is targeted at a particular users's certificate. This
means that the certificate owner can create new KDMs for other users.
The DKDM holds everything that is required to create further KDMs.
To create a DKDM for DCP-o-matic, open your encrypted project and
select <guilabel>Make DKDM for DCP-o-matic...</guilabel> from the
<guilabel>Jobs</guilabel> menu. Select the CPL that you want to make
-the DKDM for and choose where it should be written, then click
-<guilabel>OK</guilabel>.
+the DKDM for and click <guilabel>OK</guilabel>. This DKDM will then
+be available in the KDM creator. This is a separate program which you
+can start from the same place that you start the ‘Normal’
+DCP-o-matic. Its window is shown in <xref linkend="fig-kdm-creator"/>.
</para>
+<figure id="fig-kdm-creator">
+ <title>The KDM creator</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="screenshots/kdm-creator&scs;"/>
+ </imageobject>
+ </mediaobject>
+</figure>
+
+<para>
+To create KDMs, select the cinema(s) and/or screens that you want KDMs
+to be created for, the date range, the DCP that the KDMs are for and
+the destination for the KDMs and click <guilabel>Create
+KDMs</guilabel>.
+</para>
+
+<para>
+By default the <guilabel>DKDM</guilabel> list will list any DCPs for
+which you have clicked <guilabel>Make DKDM for
+DCP-o-matic</guilabel>in the main DCP-o-matic program. If you have
+other DKDMs you can add them by clicking <guilabel>Add...</guilabel> and
+specifying the file containing the DKDM.
+</para>
+
+<para>
+If another organisation wants to send you a DKDM they will ask you for
+a target certificate. You can get DCP-o-matic's target certificate by
+opening <guilabel>Preferences</guilabel> and clicking <guilabel>Export
+DCP decryption certificate...</guilabel> in the <guilabel>Keys</guilabel>
+tab.
+
+</para>
+
+</section>
+
+<section>
+<title>Encryption overview</title>
+
+<figure id="fig-encryption-overview">
+ <title>Overview of encryption</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="diagrams/crypt&dia;"/>
+ </imageobject>
+ </mediaobject>
+</figure>
+
</section>
</chapter>
If you want to import an encrypted DCP you will need to give the
decryption certificate to the distributor of the DCP so that they can
generate a DKDM for you. You can save this certificate to disk by
-clicking <guilabel>Export DCP decryption certificate</guilabel>. As
+clicking <guilabel>Export DCP decryption certificate...</guilabel>. As
with the signing chain, DCP-o-matic will create a certificate chain
and private key for you. You can also choose to load your own
certificates and key or re-make the chain and key with new, random