This topic provides answers to some commonly asked questions about Alibaba Cloud Proprietary Cryptography, HTTP Live Streaming (HLS) encryption, and Digital Rights Management (DRM) encryption in ApsaraVideo VOD.
HLS encryption
What is MtsHlsUriToken used for when I play HLS-encrypted videos? How do I obtain MtsHlsUriToken?
MtsHlsUriToken is a user-defined parameter. In HLS encryption, an encryption string is written to the HLS stream and the URL of the decryption server is added to the M3U8 index file. If you want to limit access to the encrypted video, you can use MtsHlsUriToken for identity verification before the video is decrypted for playback.
When you configure encryption, you must set up a token issuance service to generate MtsHlsUriToken. For more information, see Step 1 in HLS encryption.
How do I use a key that is generated?
The GenerateKMSDataKey operation returns a ciphertext key CiphertextBlob and a plaintext key Plaintext. You need to pass only the ciphertext key to ApsaraVideo VOD. You do not need to pass the plaintext key. For more information about the parameters that are passed, see EncryptConfig: specifies the configurations for HLS encryption in SubmitTranscodeJobs.
We recommend that you cache the ciphertext key and the plaintext key that are generated.
After you create a service key, you cannot delete or update the service key. The service key is only used to generate encryption keys.
How do I pass a generated token to the decryption operation?
Before you rewrite a token to a decryption operation, you must use an Alibaba Cloud CDN domain name for playback. When an M3U8 address is requested, you must pass the MtsHlsUriToken parameter. The system automatically rewrites the MtsHlsUriToken parameter for the decryption operation and requests the decryption operation.
How do I quickly check whether an encrypted video can be played?
You can use Alibaba Cloud Player Diagnostic Platform to check whether an M3U8 file that is encrypted in HTTP Live Streaming (HLS) Encryption mode can be played. Copy the URL of the M3U8 file and the value of MtsHlsUriToken to Alibaba Cloud Player Diagnostic Platform to check whether the file can be decrypted and played. If no value is specified for MtsHlsUriToken, you do not need to copy the value.
Other FAQs
API error message
If KeyNotFound is returned when you call the SubmitTranscodeJobs operation, contact ApsaraVideo VOD technical support to create a service key in the required region, such as China (Beijing) or China (Shanghai). The service key is used to generate encryption keys.
Unencrypted file
If the generated file is unencrypted, check whether Video Encryption is enabled and Alibaba Cloud Proprietary Cryptography is selected.
Custom key
Encryption and transcoding fail because a custom string is used to generate the encryption key. You must generate the plaintext key for encryption by calling the GenerateKMSDataKey operation. You cannot use a custom string to generate an encryption key.
Encryption failure
If HLS encryption and transcoding fail and no encrypted file is generated, check whether the key that is generated by calling the GenerateKMSDataKey operation is of the AES_128 type.
Decryption failure
If a video that is encrypted in HLS Encryption mode fails to be decrypted for playback, check whether the decryption operation uses Base64 to decode the plaintext key that is returned by the DecryptKMSDataKey operation before the decryption operation sends the key to the player. If the plaintext key is not decoded, the decryption fails.
Duplicate encrypted files
Duplicate encrypted files are generated. In this case, check whether the SubmitTranscodeJobs operation is repeatedly called. HLS encryption and transcoding can be only manually started.
DRM encryption
What do I do if the "Submit transcode job failed" error message appears when I use DRM encryption?.
Problem description: The "TranscodeJob.SubmitFailed" error message appears when you submit a transcoding job in which DRM encryption is specified. The following figure shows an example.
Cause:
In ApsaraVideo VOD, you cannot submit a transcoding job in which DRM encryption is specified by performing the following steps: Log on to the
parameter.Solution:
Add a transcoding template group in which DRM encryption is specified to a workflow and use the workflow for transcoding. For more information, see Workflows.
What do I do if the "Can not found user info" error message appears when I upload a DRM certificate?
Problem description: The "NotUserInfoExist" error message appears when you upload a DRM certificate. The following figure shows an example.
Solution:
Check whether an enabled VOD bucket exists in the region that corresponds to your DRM certificate. For more information about how to enable a VOD bucket, see Enable VOD buckets.