h. [...] Key tapes classified NATO SECRET must remain in the custody of NATO SECRET cleared personnel. When left unattended by all cleared personnel, keyed terminals must be locked in approproved security containers or installed in areas approved for the open storage of NATO SECRET material.

   g. Handling of Key Material: The SPENDEX-40 keying material is most vulnerable to HUMINT exploitation after it has been removed from the canister and while it is held in electrical form in KYK-13s. In order to limit access as much as possible to the keying material, the procedures outlined below will be followed:

        (1) Key tapes will be kept within their protective canister until shortly before they are to be used. Canisters may be issued to users or maintenance personnel for rekeying, but should be returned to the cryptocustodian immediately after use for secure storage. Users should not normally retain possession of key tape canisters, except in special circumstances, such as when user locations are isolated and difficult to reach. Key tape canisters contain multiple copies of the same keying material to support SPENDEX-40 rekeying during a cryptoperiod.

      (2) Key tape segments, once removed from a protective canister, will be destroyed as soon as possible after they have been used to successfully load a SPENDEX-40 or KYK-13. As an exception, when the immediate destruction cannot be witnessed, the key tape may be retained for that purpose, but in no case will destruction be delayed more than 12 hours from the time the terminal is success­fully keyed. This means that personnel using the tapes to load the SPENDEX-40 will normally destroy the tapes at the site, unless the tapes can be immediately hand-carried back to the cryptocustodian after the successful loading of the SPENDEX-40. All tape segments, used or not, must be destroyed at the end of each cryptoperiod with the exception that the last tape segment in the canister may be kept until new cryptovariable is successfully loaded at the beginning of the new cryptoperiod and then destroyed. The KYK-13 must be zeroised after loading the SPENDEX-40.

Many years ago I was a young C-5 Galaxy pilot, and the junior pilot on the crew had what we considered a privilege (That is sarcasm): retrieving the day's secrets. That meant a walk to the vault in base operations, a signature for a sealed canister of NSA punched key tape, drawing a KOI-18 from the COMSEC locker, and carrying both back out to the airplane. Once auxiliary power was on, the load would begin. You worked your way through every cryptographic device the mission required, voice, data, IFF, frequency-hopping radios, navigation, (Ahh the navigation, you had the Trippie inertial Na­vi­ga­tion waypoints entry to look forward to after secrets) connecting the fill cable, drawing the tape through the KOI-18 at that par­ti­cu­lar pace you eventually learned in your hands rather than your head, watching for the parity lamp, signing the log. Five to twelve devices on a typical airframe, depending on the mission profile.

And then sometimes maintenance dropped auxiliary power, or someone needed a panel open, and you got to do the whole thing again. Zero­ize, walk back, re-load, re-verify, re-sign. AHHHHHHH not that that ever happened. The whole ritual was built around a single immovable fact: the cryptoperiod rolled over every day, and at the Hotel Juliet hour every device in your net had to be on the new key or your traffic went nowhere. The system worked because it was boring, drilled, and standardized, the same procedure on a flight line in Charleston, a hangar in Ramstein, a ramp in Kadena. Every day. Every aircraft. Every device.