Home Knowledge DCP Basics
DCP Basics

What Is a KDM? DCP Encryption Explained

How DCP encryption works, when you need it, and why most independent films are better off without it.

Video coming soon

Subscribe to The Post Factory on YouTube

What Is an Encrypted DCP?

A DCP does not have to be encrypted — but it can be. An unencrypted DCP will play on any compatible cinema server with no additional setup. An encrypted DCP encodes the picture and sound data so that only specifically authorised cinema systems can read it. The decryption key is called a KDM — Key Delivery Message.

How a KDM Works

A KDM enables one specific version of a film to play on one specific playback device for a defined time window. It carries three things: the encrypted content keys needed to decrypt the DCP, a composition identifier tying the KDM to that specific DCP only, and a validity window — a "not valid before" and "not valid after" date and time. The validity window is absolute. Past the expiry, the server refuses to play the film. And each KDM is tied to the certificate of one specific server — a KDM for Screen 3 at one venue will not work in Screen 4 of the same building.

What Is a DKDM?

A DKDM — Distribution Key Delivery Message — is not a key for a cinema server. It is issued to an authoring system in a post-production facility, giving it the authority to decrypt an encrypted DCP and generate further KDMs from it. Think of it not as a master key but as the authority to make keys — within a controlled, authorised post-production environment only. Without a DKDM, an encrypted DCP cannot be touched by anyone for any purpose, including reverse engineering.

Why Most Independent Films Should Not Encrypt

For a major studio release, encryption is non-negotiable. For an independent film on a festival circuit, the calculation is very different. To issue a KDM, you need the server certificate for that specific projector. Every time a venue changes their server, the certificate changes. Every time your film moves to a different screen, you may need a new KDM. Every time a key expires with a late addition to the programme, someone has to reissue it urgently at whatever time the problem is discovered.

Festival technical directors will tell you that KDM logistics — lost emails, wrong server certificates, expired windows — are among the most common causes of screening failures at festivals. Every one traces back to an encrypted DCP.

When Encryption Is the Right Answer

Encryption is justified for embargoed premieres — if you have signed NDAs with a broadcaster or streamer, if your film cannot be seen publicly before a specific date and time, a time-locked KDM acts as a strict digital embargo that cannot be bypassed regardless of what any human operator does. It is also appropriate for high-value content where commercial stakes justify the management overhead.

For most independent films: do not encrypt. An unencrypted DCP is simpler, more robust, and significantly less likely to fail at the worst possible moment.

Need an encrypted DCP with KDMs?

We manage the full encryption and KDM workflow. Tell us your requirements.

Get a Quote →
Related Articles
What Is a DCP? Reverse Engineering What Can Go Wrong
Get a Quote

1–3 day turnaround. Human checks on every job.

Get a Quote →
Contact Us

020 7183 1600

info@postfactory.co.uk

© 2026 The Post Factory. All rights reserved.

Facility Code: PFU  ·  London, UK