Security keys have a few conditions inherent to their use, but only one explicit rule that each studio independently sets. Inherent in the use of security keys is that they only work with one movie title on one server. In other words, to play a movie, you need the movie files loaded on a server, and a security key (KDM) intended for use with that particular movie title on that particular server. If you move the movie files to another server, then you will need a KDM intended for that movie title on the new server.

Another condition that will be inherent when fully compliant digital cinema servers are available is operation contingent on a functioning watermarker. The server's watermarker will mark the projected image of the movie such that camcordered copies can be traced to the location of theft. If the watermarker fails, then the server also fails. However, if the studio enables a flag in the security key to disable the watermarker, then a failure in the watermarker will not cause the entire server to fail.

The only rule that a studio has available in the security key is the time window for the movie's engagement. Each KDM has a 'not valid before' date and time, and a 'not valid after' date and time. Each KDM has only one such set of dates and times. The setting of the engagement time window is entirely the prerogative of the studio distributing the movie. If your security key expires, then you cannot play the movie. You then have the option of either getting a new KDM with a new enagagement window, or simply deleting the movie files to make room for the next arrival.

It is arguable that these restrictions are excessive for certain types of media distribution.