HLS encryption - ApsaraVideo VOD - Alibaba Cloud Documentation Center

HTTP Live Streaming (HLS) encryption uses AES-128 to encrypt video content and supports all HLS-compatible players. HLS encryption must be used together with Key Management Service (KMS) and the token service. This encryption method is widely used in fields that require high security, such as online education and TV shows. This topic describes how to use HLS encryption and play HLS-encrypted videos.

Upgrade description

The HLS encryption feature of ApsaraVideo VOD was upgraded in August 2022. While you can still use the old encryption procedure, we recommend that you use the new procedure where the encryption process and logic are improved. If you want to use the old encryption procedure, see HLS encryption.

How HLS encryption works

ApsaraVideo VOD uses the envelope encryption technology to encrypt videos. You can use KMS to generate a data key (DK) and an enveloped data key (EDK). Then, you can use the DK to encrypt a video, and store the encrypted video together with the EDK. If you play a video, the player uses a decryption service to obtain the DK and decrypt the video.

If you want to verify the URL for decryption, you can enable M3U8 encryption and rewrite to protect the HLS content. By default, MtsHlsUriToken is rewritten. For more information about how to enable M3U8 encryption and rewrite and the technical principles, see M3U8 encryption and rewrite.

Encryption and decryption process

Upload and encryption

Decryption and playback

(Recommended) M3U8 encryption and rewrite enabled

M3U8 encryption and rewrite not enabled

视频安全-HLS标准加密6..png

视频安全-HLS标准加密2

Terms

Term	Description
RAM	Resource Access Management (RAM) is a service provided by Alibaba Cloud. It allows you to manage user identities and resource access permissions. For more information, see What is RAM?
KMS	Key Management Service (KMS) is an end-to-end service platform for key management, data encryption, and secrets management. KMS provides simple, reliable, secure, and standard-compliant capabilities to encrypt and protect data and manage secrets. For more information, see What is Key Management Service?
DK	A data key (DK) is a plaintext key that is used to encrypt data. For more information, see Terms.
EDK	An enveloped data key or encrypted data key (EDK) is a ciphertext data key that is generated by using envelope encryption. For more information, see Terms.

Prerequisites

ApsaraVideo VOD is activated. For more information, see Activate ApsaraVideo VOD.
ApsaraVideo VOD is authorized to access KMS. You can authorize ApsaraVideo VOD to access KMS on the Cloud Resource Access Authorization page.
An accelerated domain name is added to ApsaraVideo VOD. For more information, see Add a domain name for CDN.
The ApsaraVideo VOD SDK is integrated. For more information, see Overview. This topic uses ApsaraVideo VOD SDK for Java as an example.

Encrypt a video

Create a service key.
A service key is used as the primary encryption key in KMS. You must create a service key to generate keys for HLS encryption. If you do not create a service key, an error occurs when you call the GenerateKMSDataKey operation to generate a DK.
1. Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > HLS Encryption.
2. In the upper-left corner of the page, select the region in which you want to create a service key.
  Note
  A service key must be created in the same region as the origin server where videos are stored. For example, if videos are stored in the China (Shanghai) region, you must create a service key in the China (Shanghai) region.
3. On the HLS Encryption page, click Create Service Key.
  After the service key is created, the system prompts The service key is created. You can view the service key in the Key Information section.
  Note
  If the service key is not displayed in the Key Information section, check whether you have attached the AliyunVODDefaultRole policy to the role. You can grant the role permissions on the Cloud Resource Access Authorization page and refresh the HLS Encryption page to view the service key.
Create a transcoding template group for HLS encryption.
The No Transcoding template group and a transcoding template group for HLS encryption are required.
The No Transcoding template group is a preset template group. You must create a transcoding template group for HLS encryption. To create a transcoding template group, perform the following steps:
1. Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > Transcoding Template Groups.
2. On the Transcoding Template Groups page, click Create Transcoding Template Group.
  In the Basic Parameters section, set Encapsulation Format to hls. In the Advanced Parameters section, turn on Video Encryption and select Alibaba Cloud Proprietary Cryptography. Set other parameters based on your business requirements. For more information about the parameters, see Configure regular transcoding template groups.
3. After the template is created, view the ID of the transcoding template group on the Transcoding Template Groups page. The ID is required when you request HLS encryption.
Set up a key management service that encapsulates Alibaba Cloud KMS.
Call the GenerateKMSDataKey operation to generate a DK and an EDK.
You do not need to specify request parameters when you call GenerateKMSDataKey. The CiphertextBlob parameter in the response indicates the EDK and Plaintext indicates the DK. CiphertextBlob is an AES_128 key. The EDK is required when you request HLS encryption.
Use the No Transcoding transcoding template group to upload a video.
Usually, automatic transcoding is triggered for videos that are uploaded to ApsaraVideo VOD. However, HLS encryption does not support videos that are automatically transcoded. Therefore, you must use the No Transcoding template group to upload videos for which HLS encryption is required. This way, automatic transcoding is not triggered.
1. For more information about how to upload media files by using the ApsaraVideo VOD console, see Upload media files by using the ApsaraVideo VOD console. For more information about how to upload media files by using the ApsaraVideo VOD API, see Media upload.
2. Configure event notifications in ApsaraVideo VOD. When a FileUploadComplete callback is returned, the video is uploaded. For more information about how to configure event notifications, see Overview.

Start HLS encryption.

Call the SubmitTranscodeJobs operation to start HLS encryption.

Show sample code in Java

The following table describes the parameters in the sample code that you can change based on your business requirements.

Parameter	Description
`request.setTemplateGroupId("")`	The ID of the transcoding template group created in Step 2.
`request.setVideoId("")`	The ID of the video that you uploaded in Step 4.
`encryptConfig.put("CipherText","")`	The value of `CiphertextBlob` returned in Step 3.
`encryptConfig.put("DecryptKeyUri","")`	The key URI. The URI consists of the IP address of the decryption service and the value of `CiphertextBlob`. If local port 8099 is used, the key URI is: `http://172.16.0.1:8099?CipherText=The value of CiphertextBlob`

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.vod.model.v20170321.SubmitTranscodeJobsRequest;
import com.aliyuncs.vod.model.v20170321.SubmitTranscodeJobsResponse;

public class SubmitTranscodeJobs {

    // The AccessKey pair of an Alibaba Cloud account has permissions to call all API operations. We recommend that you use the AccessKey pair of a RAM user to call API operations or perform routine O&M. 
    // We recommend that you do not include your AccessKey pair (AccessKey ID and AccessKey secret) in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised. 
    // In this example, ApsaraVideo VOD reads the AccessKey pair from the environment variables to implement identity verification for API access. Before you run the sample code, configure the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET. 
    private static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
    private static String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");

    public static SubmitTranscodeJobsResponse submitTranscodeJobs(DefaultAcsClient client) throws Exception{
        SubmitTranscodeJobsRequest request = new SubmitTranscodeJobsRequest();
        request.setTemplateGroupId("");
        request.setVideoId("");
        JSONObject encryptConfig = new JSONObject();
        encryptConfig.put("CipherText","");
        encryptConfig.put("DecryptKeyUri","");
        encryptConfig.put("KeyServiceType","KMS");
        request.setEncryptConfig(encryptConfig.toJSONString());
        return client.getAcsResponse(request);
    }

    public static void main(String[] args) throws ClientException {
        String regionId = "cn-shanghai";  // Specify the region where ApsaraVideo VOD is activated.
        DefaultProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
        DefaultAcsClient client = new DefaultAcsClient(profile);

        SubmitTranscodeJobsResponse response;
        try {
            response = submitTranscodeJobs(client);
            System.out.println("RequestId is:"+response.getRequestId());
            System.out.println("TranscodeTaskId is:"+response.getTranscodeTaskId());
            System.out.println("TranscodeJobs is:"+ JSON.toJSON(response.getTranscodeJobs()));
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

If you have configured event notifications in ApsaraVideo VOD, the video is transcoded when the StreamTranscodeComplete or TranscodeComplete callback is returned.

View the result of HLS encryption.
After the video is transcoded, use one of the following methods to check whether HLS encryption is successful.
- Method 1: Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Media Files > Audio/Video. On the Video and Audio page, find the video and click Manage in the Actions column. On the Video URL tab, if video outputs in formats that include MP4 exist, and HLS Encryption is tagged on the M3U8 file, HLS encryption is successful.
- Method 2: Copy the URL of the M3U8 file that is tagged HLS Encryption, run the curl -v "URL of the M3U8 file" command, and then check the result. If the decryption URL that you specify when you start HLS encryption is the same as the value of DecryptKeyUri, HLS encryption is successful.
- Method 3: Call the GetTranscodeTask operation and specify the value of the JobId parameter that is returned in Step 5. If the response parameter TranscodeTemplateId is the ID of the transcoding template group created in Step 2 and the value of TranscodeJobStatus is transcoding succeeded, HLS encryption is used and the encryption is successful.

Play an HLS-encrypted video

Set up a decryption service.

Set up a local HTTP service to decrypt the video.

Call the DecryptKMSDataKey operation to decrypt the video. The DK is returned in the response. The DK is the Base64-decoded value of the PlainText parameter returned in the response to the GenerateKMSDataKey operation.

If you want to verify the URL for decryption, enable M3U8 encryption and rewrite. By default, MtsHlsUriToken is rewritten and used to verify the decrypted URL. This way, your data is protected during HLS encryption. For more information about how to enable M3U8 encryption and rewrite and the technical principles, see M3U8 encryption and rewrite. The code used to set up the decryption service varies based on whether you have enabled M3U8 encryption and rewrite. The following section describes the sample code:

(Recommended) M3U8 encryption and rewrite enabled

Show sample code in Java

The following sample code in Java is for reference only. You can develop logic for decryption and MtsHlsUriToken verification based on your business requirements. The following table describes the parameters in the sample code that you can change based on your business requirements.

Parameter	Description
`region`	The region ID. KMS and ApsaraVideo VOD must be activated in the same region. For example, if you activate KMS and ApsaraVideo VOD in the China (Shanghai) region, specify `cn-shanghai` for this parameter. For more information about the IDs of other regions, see Region IDs of ApsaraVideo VOD.
`AccessKey`	The AccessKey ID and AccessKey secret of your Alibaba Cloud account or RAM user. For more information about how to obtain the AccessKey pair, see Obtain an AccessKey pair.
`httpserver`	The port number that you want to use to activate the service.

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.ProtocolType;
import com.aliyuncs.vod.model.v20170321.DecryptKMSDataKeyRequest;
import com.aliyuncs.vod.model.v20170321.DecryptKMSDataKeyResponse;
import com.aliyuncs.profile.DefaultProfile;
import com.sun.net.httpserver.Headers;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;
import com.sun.net.httpserver.spi.HttpServerProvider;
import org.apache.commons.codec.binary.Base64;
import java.io.IOException;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.URI;import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class HlsDecryptServer {
    private static DefaultAcsClient client;
    static {
        // The region where KMS is used. The region must be the same as the region where the video resides.
        String region = "";
        // The AccessKey pair that is used to authorize access to KMS.
        // The AccessKey pair of an Alibaba Cloud account has permissions to call all API operations. We recommend that you use the AccessKey pair of a RAM user to call API operations or perform routine O&M. 
        // We recommend that you do not include your AccessKey pair (AccessKey ID and AccessKey secret) in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised. 
        // In this example, ApsaraVideo VOD reads the AccessKey pair from the environment variables to implement identity verification for API access. Before you run the sample code, configure the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET. 
        String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
        String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
        client = new DefaultAcsClient(DefaultProfile.getProfile(region, accessKeyId, accessKeySecret));
    }
    /**
     * Note:
     * 1. Receive a decryption request and obtain the EDK and token.
     * 2. Call the decryption operation of KMS to obtain the plaintext key.
     * 3. Decode the DK by using the Base64 algorithm and return the DK.
     */
    public class HlsDecryptHandler implements HttpHandler {
        /**
         * Process the decryption request.
         * @param httpExchange
         * @throws IOException
         */
        public void handle(HttpExchange httpExchange) throws IOException {
            String requestMethod = httpExchange.getRequestMethod();
            if ("GET".equalsIgnoreCase(requestMethod)) {
                // Check whether the token is valid.
                String token = getMtsHlsUriToken(httpExchange);
                boolean validRe = validateToken(token);
                if (!validRe) {
                    return;
                }
                // Obtain the ciphertext key from the video URL.
                String ciphertext = getCiphertext(httpExchange);
                if (null == ciphertext)
                    return;
                // Decrypt the key in KMS and decode the key by using the Base64 algorithm.
                byte[] key = decrypt(ciphertext);
                // Configure the header.
                setHeader(httpExchange, key);
                // Return the key decoded by using the Base64 algorithm.
                OutputStream responseBody = httpExchange.getResponseBody();
                responseBody.write(key);
                responseBody.close();
            }
        }
        private void setHeader(HttpExchange httpExchange, byte[] key) throws IOException {
            Headers responseHeaders = httpExchange.getResponseHeaders();
            responseHeaders.set("Access-Control-Allow-Origin", "*");
            httpExchange.sendResponseHeaders(HttpURLConnection.HTTP_OK, key.length);
        }
        /**
         * Call the decryption operation of KMS to decrypt the key and decode the key by using the Base64 algorithm.
         * @param ciphertext
         * @return
         */
        private byte[] decrypt(String ciphertext) {
            DecryptKMSDataKeyRequest request = new DecryptKMSDataKeyRequest();
            request.setCipherText(ciphertext);
            request.setProtocol(ProtocolType.HTTPS);
            try {
                DecryptKMSDataKeyResponse response = client.getAcsResponse(request);
                String plaintext = response.getPlaintext();
                System.out.println("PlainText: " + plaintext);
                // Note: You must decode the DK by using the Base64 algorithm.
                return Base64.decodeBase64(plaintext);
            } catch (ClientException e) {
                e.printStackTrace();
                return null;
            }
        }
        /**
         * Check whether the token is valid.
         * @param token
         * @return
         */
        private boolean validateToken(String token) {
            if (null == token || "".equals(token)) {
                return false;
            }
            // TODO. You can customize the logic to check whether the token is valid.
            return true;
        }
        /**
         * Obtain the ciphertext key from the video URL.
         * @param httpExchange
         * @return
         */
        private String getCiphertext(HttpExchange httpExchange) {
            URI uri = httpExchange.getRequestURI();
            String queryString = uri.getQuery();
            String pattern = "CipherText=(\\w*)";
            Pattern r = Pattern.compile(pattern);
            Matcher m = r.matcher(queryString);
            if (m.find())
                return m.group(1);
            else {
                System.out.println("Not Found CipherText Param");
                return null;
            }
        }
        /**
         * Obtain the value of the token parameter.
         *
         * @param httpExchange
         * @return
         */
        private String getMtsHlsUriToken(HttpExchange httpExchange) {
            URI uri = httpExchange.getRequestURI();
            String queryString = uri.getQuery();
            String pattern = "MtsHlsUriToken=(\\w*)";
            Pattern r = Pattern.compile(pattern);
            Matcher m = r.matcher(queryString);
            if (m.find())
                return m.group(1);
            else {
                System.out.println("Not Found MtsHlsUriToken Param");
                return null;
            }
        }
    }
    /**
     * Start the service.
     *
     * @throws IOException
     */
    private void serviceBootStrap() throws IOException {
        HttpServerProvider provider = HttpServerProvider.provider();
        // You can specify a custom port for listening. A web server can handle a maximum of 30 requests simultaneously on the same port.
        HttpServer httpserver = provider.createHttpServer(new InetSocketAddress(8099), 30);
        httpserver.createContext("/", new HlsDecryptHandler());
        httpserver.start();
        System.out.println("hls decrypt server started");
    }
    public static void main(String[] args) throws IOException {
        HlsDecryptServer server = new HlsDecryptServer();
        server.serviceBootStrap();
    }}

M3U8 encryption and rewrite not enabled

Show sample code in Java

The following table describes the parameters in the sample code that you can change based on your business requirements.

Parameter	Description
`region`	The region ID. KMS and ApsaraVideo VOD must be activated in the same region. For example, if you activate KMS and ApsaraVideo VOD in the China (Shanghai) region, specify `cn-shanghai` for this parameter. For more information about the IDs of other regions, see Region IDs of ApsaraVideo VOD.
`AccessKey`	The AccessKey ID and AccessKey secret of your Alibaba Cloud account or RAM user. For more information about how to obtain the AccessKey pair, see Obtain an AccessKey pair.
`httpserver`	The port number that you want to use to activate the service.

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.ProtocolType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.vod.model.v20170321.DecryptKMSDataKeyRequest;
import com.aliyuncs.vod.model.v20170321.DecryptKMSDataKeyResponse;
import com.sun.net.httpserver.Headers;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;
import com.sun.net.httpserver.spi.HttpServerProvider;
import org.apache.commons.codec.binary.Base64;

import java.io.IOException;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.URI;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class HlsDecryptServerNoToken {

    private static DefaultAcsClient client;
    static {
        // The region where KMS is used. The region must be the same as the region where the video resides.
        String region = "cn-beijing";
        // The AccessKey pair that is used to authorize access to KMS.
        // The AccessKey pair of an Alibaba Cloud account has permissions to call all API operations. We recommend that you use the AccessKey pair of a RAM user to call API operations or perform routine O&M. 
        // We recommend that you do not include your AccessKey pair (AccessKey ID and AccessKey secret) in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised. 
        // In this example, ApsaraVideo VOD reads the AccessKey pair from the environment variables to implement identity verification for API access. Before you run the sample code, configure the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET. 
        String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
        String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
        client = new DefaultAcsClient(DefaultProfile.getProfile(region, accessKeyId, accessKeySecret));
    }
    /**
     * Note:
     * 1. Receive a decryption request and obtain the ciphertext key and token.
     * 2. Call the decryption operation of KMS to obtain the plaintext key.
     * 3. Decode the plaintext key by using the Base64 algorithm and return the decoded key.
     */
    public class HlsDecryptHandler implements HttpHandler {
        /**
         * Process the decryption request.
         * @param httpExchange
         * @throws IOException
         */
        public void handle(HttpExchange httpExchange) throws IOException {
            String requestMethod = httpExchange.getRequestMethod();
            if ("GET".equalsIgnoreCase(requestMethod)) {

                // Obtain the ciphertext key from the video URL.
                String ciphertext = getCiphertext(httpExchange);
                System.out.println(ciphertext);
                if (null == ciphertext)
                    return;
                // Decrypt the key in KMS and decode the key by using the Base64 algorithm.
                byte[] key = decrypt(ciphertext);
                // Configure the header.
                setHeader(httpExchange, key);
                // Return the key that is decoded by using the Base64 algorithm.
                OutputStream responseBody = httpExchange.getResponseBody();
                responseBody.write(key);
                responseBody.close();
            }
        }
        private void setHeader(HttpExchange httpExchange, byte[] key) throws IOException {
            Headers responseHeaders = httpExchange.getResponseHeaders();
            responseHeaders.set("Access-Control-Allow-Origin", "*");
            httpExchange.sendResponseHeaders(HttpURLConnection.HTTP_OK, key.length);
        }
        /**
         * Call the decryption operation of KMS to decrypt the key and decode the plaintext key by using the Base64 algorithm.
         * @param ciphertext
         * @return
         */
        private byte[] decrypt(String ciphertext) {

            DecryptKMSDataKeyRequest request = new DecryptKMSDataKeyRequest();
            request.setCipherText(ciphertext);
            request.setProtocol(ProtocolType.HTTPS);
            try {
                DecryptKMSDataKeyResponse response = client.getAcsResponse(request);
                String plaintext = response.getPlaintext();
                System.out.println("PlainText: " + plaintext);
                // Note: You must decode the key by using the Base64 algorithm.
                return Base64.decodeBase64(plaintext);
            } catch (ClientException e) {
                e.printStackTrace();
                return null;
            }
        }

        /**
         * Obtain the ciphertext key from the video URL.
         * @param httpExchange
         * @return
         */
        private String getCiphertext(HttpExchange httpExchange) {
            URI uri = httpExchange.getRequestURI();
            String queryString = uri.getQuery();
            String pattern = "CipherText=(\\w*)";
            Pattern r = Pattern.compile(pattern);
            Matcher m = r.matcher(queryString);
            if (m.find())
                return m.group(1);
            else {
                System.out.println("Not Found CipherText Param");
                return null;
            }
        }
    }

    /**
     * Start the service.
     *
     * @throws IOException
     */
    private void serviceBootStrap() throws IOException {
        HttpServerProvider provider = HttpServerProvider.provider();
        // You can specify a custom port for listening. A web server can handle a maximum of 30 requests simultaneously on the same port.
        HttpServer httpserver = provider.createHttpServer(new InetSocketAddress(8099), 30);
        httpserver.createContext("/", new HlsDecryptHandler());
        httpserver.start();
        System.out.println("hls decrypt server started");
    }
    public static void main(String[] args) throws IOException {
        HlsDecryptServerNoToken server = new HlsDecryptServerNoToken();
        server.serviceBootStrap();
    }}

Obtain the playback URL and credential of a video.
Call the GetVideoPlayAuth operation to obtain the playback credential and call the GetPlayInfo operation to obtain the playback URL.
Play the encrypted video.
HLS encryption supports all HLS-compatible players. You can use a self-developed player or ApsaraVideo Player to play encrypted videos.
If you use ApsaraVideo Player to play encrypted videos, you must obtain the token and authentication information. For more information, see Play an encrypted video. If you use a third-party player, specify the playback logic.
The following procedure describes how ApsaraVideo Player tests the playback:
(Recommended) M3U8 encryption and rewrite enabled
M3U8 encryption and rewrite not enabled
Process
- After the player obtains the URL of the M3U8 file, the player parses and accesses the URL in the EXT-X-KEY tag of the M3U8 file. This way, the player obtains the URL of the decryption operation that contains the ciphertext key. This URL is the value of the DecryptKeyUri parameter in EncryptConfig that you specify when you start HLS encryption.
- If you want to allow only authorized users to access the video, the player must provide accurate authentication information that you can confirm when the player obtains the decryption key. The authentication information can be passed by using the MtsHlsUriToken parameter.
- After the player obtains the decryption URI, the player automatically sends a request to obtain the decryption key. After the player obtains the decryption key, the player decrypts the encrypted TS file for playback.
Examples
- The video playback URL is https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8. The request must contain the MtsHlsUriToken parameter.
- The final request URL is https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8?MtsHlsUriToken=<Token>.
- The decryption URL is https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****.
- The final request URL for decryption is https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****&MtsHlsUriToken=<The issued token>.
Process
- After the player obtains the URL of the M3U8 file, the player parses and accesses the URL in the EXT-X-KEY tag of the M3U8 file. This way, the player obtains the decryption URL with the ciphertext key included. The decryption URL is the value of DecryptKeyUri in EncryptConfig that you pass when you start HLS encryption. For more information, see Request parameters.
- After the player obtains the decryption URI, the player automatically sends a request to obtain the decryption key. After the player obtains the decryption key, the player decrypts the encrypted TS file for playback.
Examples
- The video playback URL is https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8.
- The final request URL is https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8.
- The decryption URL is https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****.
- The final request URL for decryption is https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****.

References

Play an encrypted video

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)