[Homer]

I can help a little, pardon the tech speak and my not dealing with this stuff in detail since the 90s!

For US units, keymat originates at NSA. They have executive responsibility for COMSEC in the US.

The SINCGARS (single channel ground air radio system) was becoming the default
FM radio system for US ground forces replacing the older PRC/VRC series radios and associated KY-57 COMSEC modules with a single unitized radio. The new radio was designed to operate in frequency hop/cypher text mode using time based hopsets and keymat based crypto. It was interoperable with other radios by selectively disabling either freq hop (usually), crypto(rarely), or both (single channel plain text). There was an USAF version of SINCGARs, but to my knowledge it didn’t field until the 2000s.

In the 90’s encrypted keymat was distributed by secure courier where it was uploaded into a key management system computer, decrypted, and prepared for loading into master AN/CYZ-10 (ANCDs). The master ANCD is then couriered to the user unit and used to fill the remainder of the unit’s ANCDs, which fill SINCGARs, VINSON, etc. ANCDs were down to the company and even platoon level in some units, but never went forward of the assembly area. This would likely be the system in effect during the early phases of the Twilight War for most force package one units.

Before the transition to digital key management, keymat was generated on magnetic storage media (hard disks or magnetic tape), which was couriered to theater level signal units where it was produced on punched paper tape. Once there the punched tape was fed into a KOI-18 tape reader and used to fill either ANCDs (at the end of this method) or the older KYK-13 fill device. As with the ANCDs these were them couriered and used to fill the unit’s equipment. This would still be common in many units, and could be adopted by FP1 units when their commercial spec KMS computers succumbed to combat. Unlike the ANCD KYK-13s didn’t include time, so that would have to manually loaded. KYK-13s were commonly used to fill VHF radios in army aviation units even after the ANCD came into use since the HAVE QUICK utilized a different freq hop technology than SINCGARS.

The ANCD was a common fill device that could hold both hopsets and encryption keys as well as fill a number of different devices. In addition the ANCD could be loaded with information for multiple units, challenge/password data, and SOI data.

Both the SINCGARS and HAVE QUICK systems allow for Over The Air Rekey (OTAR- loading a new crypto key) and ECCM Remote Fill (ERF- loading a new hopset). This is an alternative to manual courier, but as Paul said it’s less secure. That said, you’d have to have the MAN frequency, a compatible radio, and be in range. Maybe a surviving NSA reconstitutes at Buckley ANGB, CO and begins disseminating keymat by courier and OTAR to high priority units or operations and SOI for everybody else.

With non freq hop radios, the COMSEC process is similar using either a KYK-13 or OTAR to fill the VINSON. Units using freq hop radios must operate in single channel mode when working with non freq hop units. An example is a SINCGARS equipped US unit working with a Clansman (non FH) equipped UK unit. This was also the case when a SINCGARS equipped unit was working with dismounted forces using the PRC-126 squad/team radio which did not FH- a SINCGARs somewhere in the remainder formation had to be on SC mode to talk to the 126s or the dismounts carried a FH SINCGARs to talk FH back to the vehicles. Still better than the Motorola saber which had its own encryption and didn’t talk to anything else. All that changed when the MBITR started to appear in the late 90s, but they’d be hen’s teeth in T2K and probably confined to SMUs.

Anecdotally, most OTAR and ERF is done within small units in locations like assembly areas where the radios SHOULD be in low power. Sometimes there’s a little yelling and choice words involved, especially when dealing with loading time!