Asking about KDM and certificates backups

Anything and everything to do with DCP-o-matic.
mohmad0ali92
Posts: 9
Joined: Mon May 23, 2022 12:25 pm

Asking about KDM and certificates backups

Post by mohmad0ali92 »

Hi
The answer is there in the manual but I didn't get it and it's risky so better to ask

I wanna Format or change my machine so What should I copy certificates or files to don't lose my encrypted packages?

I think there are some files if I coped it from one machine to another I can generate KDM & D-KDM from that machine for the encrypted packages,
is the DKDM what I need to back up before moving to another system?
Is there anything else I need to backup before moving?
what is their file and how to backup and restore it?

THX
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Asking about KDM and certificates backups

Post by Carsten »

The best is probably to go redundant, that is, backup multiple files.

First of all EVERYTHING relevant to encryption is stored in your main prefs/config file. So, if you backup your config.xml file, you are basically safe. Install DCP-o-matic on another machine, restore your config.xml file to this machine, and everything is in place. However - sometimes it is better to also store individual certs and private keys, so, I would do that as well. So, go to your certs tab in prefs and use the export/backup function there as well. Then ZIP the whole bunch of files, add a date and maybe some remarks (like DCP-o-matic version number) to the file name, and store it in a safe place. Sometimes I send small config files like this to myself in an email, so I have a copy in my email database. In most cases, these certs are relevant for your DCPs, but not actually security relevant (like e.g. a password for your main email account). So, in these cases, I don't mind having it lying around for years in my mail account. But that depends on you.


Exporting your certs and keys to individual files (name them properly) also helps you to understand the whole process of encryption better.


Keep in mind that every encrypted DCP has it's raw encryption key stored in the project metadata.xml file. While currently DCP-o-matic itself doesn't allow to access an encrypted DCP using that raw key directly, it may still be your last resort if you lost all conventional means to issue KDMs for it (prefs, certs, DKDMs). So, it may be a good idea to store every encrypted DCPs metadata.xml file, even if you don't archive the rest of that project.