Tier 3 · Field Engineer · Encryption & Key Management

The keys to secure voice.

Encryption is only as good as the system that manages the keys. Trace how a key is born in the KMF, loaded into a radio, kept current over the air with OTAR — and what happens to a radio that misses a rekey. Tap any element in the key lifecycle to learn it, then rekey a fleet.

Built on public P25 encryption concepts and published agency key-management policy (AES‑256, TEK/KEK, CKR, KMF, KVL, OTAR/OTEK). Real key values, algorithms in use, and exact procedures are security-sensitive and system-specific. This teaches the model, not any real keys or steps.

The key lifecycle · tap an elementAES‑256
generate load UKEK + TEK initial fill OTAR (air) OTEK (ethernet) KMF key mgmt facility KVL key loader TEK traffic key CKR → talkgroup Subscriber holds TEK + UKEK Console keyed via OTEK secure call
🔑  Tap an element in the lifecycle
to learn the term and what it does.

Rekey the fleet (OTAR)

The idea

Encryption scrambles the voice with a TEK (traffic key); only radios holding the same key can hear the call. Keys are generated in the KMF, loaded first by KVL (which also loads the UKEK that lets the radio accept future keys), then kept current over the air by OTAR — no need to physically touch each radio.
Tie-in: a radio that misses a rekey can't decrypt — the caller is heard as garbled noise even though the network is perfect. That's the L6 case in "Radio or Network?" — now you know the fix: a re-key.