ApsaraVideo VOD:HLS encryption

Upgrade description

The HLS encryption feature of ApsaraVideo VOD was upgraded in August 2022. While you can still use the old encryption procedure, we recommend that you use the new procedure where the encryption process and logic are improved. If you want to use the old encryption procedure, see HLS encryption.

How HLS encryption works

ApsaraVideo VOD uses the envelope encryption technology to encrypt videos. You can use KMS to generate a data key (DK) and an enveloped data key (EDK). Then, you can use the DK to encrypt a video, and store the encrypted video together with the EDK. If you play a video, the player uses a decryption service to obtain the DK and decrypt the video.

If you want to verify the URL for decryption, you can enable M3U8 encryption and rewrite to protect the HLS content. By default, MtsHlsUriToken is rewritten. For more information about how to enable M3U8 encryption and rewrite and the technical principles, see M3U8 encryption and rewrite.

Encryption and decryption process

Upload and encryption

Decryption and playback

Prerequisites

• ApsaraVideo VOD is activated. For more information, see Activate ApsaraVideo VOD.

• ApsaraVideo VOD is authorized to access KMS. You can authorize ApsaraVideo VOD to access KMS on the Cloud Resource Access Authorization page.

• An accelerated domain name is added to ApsaraVideo VOD. For more information, see Add a domain name for CDN.

• The ApsaraVideo VOD SDK is integrated. For more information, see Overview. This topic uses ApsaraVideo VOD SDK for Java as an example.

Encrypt a video

1. Create a service key.

   A service key is used as the primary encryption key in KMS. You must create a service key to generate keys for HLS encryption. If you do not create a service key, an error occurs when you call the GenerateKMSDataKey operation to generate a DK.

   1. Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > HLS Encryption.

   2. In the upper-left corner of the page, select the region in which you want to create a service key.

      Note

      A service key must be created in the same region as the origin server where videos are stored. For example, if videos are stored in the China (Shanghai) region, you must create a service key in the China (Shanghai) region.

      

   3. On the HLS Encryption page, click Create Service Key.

      After the service key is created, the system prompts The service key is created. You can view the service key in the Key Information section.

      Note

      If the service key is not displayed in the Key Information section, check whether you have attached the AliyunVODDefaultRole policy to the role. You can grant the role permissions on the Cloud Resource Access Authorization page and refresh the HLS Encryption page to view the service key.

2. Create a transcoding template group for HLS encryption.

   The No Transcoding template group and a transcoding template group for HLS encryption are required.

   The No Transcoding template group is a preset template group. You must create a transcoding template group for HLS encryption. To create a transcoding template group, perform the following steps:

   1. Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > Transcoding Template Groups.

   2. On the Transcoding Template Groups page, click Create Transcoding Template Group.

      In the Basic Parameters section, set Encapsulation Format to hls. In the Advanced Parameters section, turn on Video Encryption and select Alibaba Cloud Proprietary Cryptography. Set other parameters based on your business requirements. For more information about the parameters, see Configure regular transcoding template groups.

   3. After the template is created, view the ID of the transcoding template group on the Transcoding Template Groups page. The ID is required when you request HLS encryption.

3. Set up a key management service that encapsulates Alibaba Cloud KMS.

   Call the GenerateKMSDataKey operation to generate a DK and an EDK.

   You do not need to specify request parameters when you call GenerateKMSDataKey. The CiphertextBlob parameter in the response indicates the EDK and Plaintext indicates the DK. CiphertextBlob is an AES_128 key. The EDK is required when you request HLS encryption.

4. Use the No Transcoding transcoding template group to upload a video.

   Usually, automatic transcoding is triggered for videos that are uploaded to ApsaraVideo VOD. However, HLS encryption does not support videos that are automatically transcoded. Therefore, you must use the No Transcoding template group to upload videos for which HLS encryption is required. This way, automatic transcoding is not triggered.

   1. For more information about how to upload media files by using the ApsaraVideo VOD console, see Upload media files by using the ApsaraVideo VOD console. For more information about how to upload media files by using the ApsaraVideo VOD API, see Media upload.

   2. Configure event notifications in ApsaraVideo VOD. When a FileUploadComplete callback is returned, the video is uploaded. For more information about how to configure event notifications, see Overview.

5. Start HLS encryption.

   1. Call the SubmitTranscodeJobs operation to start HLS encryption.

      Show sample code in Java

      The following table describes the parameters in the sample code that you can change based on your business requirements.

      Parameter	Description
      request.setTemplateGroupId("")	The ID of the transcoding template group created in Step 2.
      request.setVideoId("")	The ID of the video that you uploaded in Step 4.
      encryptConfig.put("CipherText","")	The value of CiphertextBlob returned in Step 3.
      encryptConfig.put("DecryptKeyUri","")	The key URI. The URI consists of the IP address of the decryption service and the value of CiphertextBlob. If local port 8099 is used, the key URI is: http://172.16.0.1:8099?CipherText=The value of CiphertextBlob

      import com.alibaba.fastjson.JSON;
      import com.alibaba.fastjson.JSONObject;
      import com.aliyuncs.DefaultAcsClient;
      import com.aliyuncs.exceptions.ClientException;
      import com.aliyuncs.profile.DefaultProfile;
      import com.aliyuncs.vod.model.v20170321.SubmitTranscodeJobsRequest;
      import com.aliyuncs.vod.model.v20170321.SubmitTranscodeJobsResponse;
      
      public class SubmitTranscodeJobs {
      
          // The AccessKey pair of an Alibaba Cloud account has access permissions on all API operations. We recommend that you use the AccessKey pair of a RAM user to call API operations or perform routine O&M. 
          // We recommend that you not include your AccessKey pair (AccessKey ID and AccessKey secret) in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised. 
          // In this example, ApsaraVideo VOD reads the AccessKey pair from the environment variables to implement identity verification for API access. Before you run the sample code, configure the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET. 
          private static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
          private static String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
      
          public static SubmitTranscodeJobsResponse submitTranscodeJobs(DefaultAcsClient client) throws Exception{
              SubmitTranscodeJobsRequest request = new SubmitTranscodeJobsRequest();
              request.setTemplateGroupId("");
              request.setVideoId("");
              JSONObject encryptConfig = new JSONObject();
              encryptConfig.put("CipherText","");
              encryptConfig.put("DecryptKeyUri","");
              encryptConfig.put("KeyServiceType","KMS");
              request.setEncryptConfig(encryptConfig.toJSONString());
              return client.getAcsResponse(request);
          }
      
          public static void main(String[] args) throws ClientException {
              String regionId = "cn-shanghai";  // Specify the region where ApsaraVideo VOD is activated.
              DefaultProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
              DefaultAcsClient client = new DefaultAcsClient(profile);
      
              SubmitTranscodeJobsResponse response;
              try {
                  response = submitTranscodeJobs(client);
                  System.out.println("RequestId is:"+response.getRequestId());
                  System.out.println("TranscodeTaskId is:"+response.getTranscodeTaskId());
                  System.out.println("TranscodeJobs is:"+ JSON.toJSON(response.getTranscodeJobs()));
              } catch (Exception e) {
                  e.printStackTrace();
              }
          }
      }       

   2. If you have configured event notifications in ApsaraVideo VOD, the video is transcoded when the StreamTranscodeComplete or TranscodeComplete callback is returned.

6. View the result of HLS encryption.

   After the video is transcoded, use one of the following methods to check whether HLS encryption is successful.

   • Method 1: Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Media Files > Audio/Video. On the Video and Audio page, find the video and click Manage in the Actions column. On the Video URL tab, if video outputs in formats that include MP4 exist, and HLS Encryption is tagged on the M3U8 file, HLS encryption is successful.

   • Method 2: Copy the URL of the M3U8 file that is tagged HLS Encryption, run the curl -v "URL of the M3U8 file" command, and then check the result. If the decryption URL that you specify when you start HLS encryption is the same as the value of DecryptKeyUri, HLS encryption is successful.

Play an HLS-encrypted video

1. Set up a decryption service.

   Set up a local HTTP service to decrypt the video.

   Call the DecryptKMSDataKey operation to decrypt the video. The DK is returned in the response. The DK is the Base64-decoded value of the PlainText parameter returned in the response to the GenerateKMSDataKey operation.

   If you want to verify the URL for decryption, you can enable M3U8 encryption and rewrite to protect the HLS content. By default, MtsHlsUriToken is rewritten. For more information about how to enable M3U8 encryption and rewrite and the technical principles, see M3U8 encryption and rewrite. The code used to set up the decryption service varies based on whether you have enabled M3U8 encryption and rewrite. The following section describes the sample code:

   • (Recommended) M3U8 encryption and rewrite enabled

     Show sample code in Java

     The following sample code in Java is for reference only. You can develop logic for decryption and MtsHlsUriToken verification based on your business requirements. The following table describes the parameters in the sample code that you can change based on your business requirements.

     Parameter	Description
     region	The region ID. KMS and ApsaraVideo VOD must be activated in the same region. For example, if you activate KMS and ApsaraVideo VOD in the China (Shanghai) region, specify cn-shanghai for this parameter. For more information about the IDs of other regions, see Region IDs of ApsaraVideo VOD.
     AccessKey	The AccessKey ID and AccessKey secret of your Alibaba Cloud account or RAM user. For more information about how to obtain the AccessKey pair, see Obtain an AccessKey pair.
     httpserver	The port number that you want to use to activate the service.

     import com.aliyuncs.DefaultAcsClient;
     import com.aliyuncs.exceptions.ClientException;
     import com.aliyuncs.http.ProtocolType;
     import com.aliyuncs.vod.model.v20170321.DecryptKMSDataKeyRequest;
     import com.aliyuncs.vod.model.v20170321.DecryptKMSDataKeyResponse;
     import com.aliyuncs.profile.DefaultProfile;
     import com.sun.net.httpserver.Headers;
     import com.sun.net.httpserver.HttpExchange;
     import com.sun.net.httpserver.HttpHandler;
     import com.sun.net.httpserver.HttpServer;
     import com.sun.net.httpserver.spi.HttpServerProvider;
     import org.apache.commons.codec.binary.Base64;
     import java.io.IOException;
     import java.io.OutputStream;
     import java.net.HttpURLConnection;
     import java.net.InetSocketAddress;
     import java.net.URI;import java.util.regex.Matcher;
     import java.util.regex.Pattern;
     public class HlsDecryptServer {
         private static DefaultAcsClient client;
         static {
             // The region where KMS is used. The region must be the same as the region where the video resides.
             String region = "";
             // The AccessKey pair that is used to authorize access to KMS.
             // The AccessKey pair of an Alibaba Cloud account has access permissions on all API operations. We recommend that you use the AccessKey pair of a RAM user to call API operations or perform routine O&M. 
             // We recommend that you not include your AccessKey pair (AccessKey ID and AccessKey secret) in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised. 
             // In this example, ApsaraVideo VOD reads the AccessKey pair from the environment variables to implement identity verification for API access. Before you run the sample code, configure the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET. 
             String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
             String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
             client = new DefaultAcsClient(DefaultProfile.getProfile(region, accessKeyId, accessKeySecret));
         }
         /**
          * Note:
          * 1. Receive a decryption request and obtain the EDK and token.
          * 2. Call the decryption operation of KMS to obtain the plaintext key.
          * 3. Decode the DK by using the Base64 algorithm and return the DK.
          */
         public class HlsDecryptHandler implements HttpHandler {
             /**
              * Process the decryption request.
              * @param httpExchange
              * @throws IOException
              */
             public void handle(HttpExchange httpExchange) throws IOException {
                 String requestMethod = httpExchange.getRequestMethod();
                 if ("GET".equalsIgnoreCase(requestMethod)) {
                     // Check whether the token is valid.
                     String token = getMtsHlsUriToken(httpExchange);
                     boolean validRe = validateToken(token);
                     if (!validRe) {
                         return;
                     }
                     // Obtain the ciphertext key from the video URL.
                     String ciphertext = getCiphertext(httpExchange);
                     if (null == ciphertext)
                         return;
                     // Decrypt the key in KMS and decode the key by using the Base64 algorithm.
                     byte[] key = decrypt(ciphertext);
                     // Configure the header.
                     setHeader(httpExchange, key);
                     // Return the key decoded by using the Base64 algorithm.
                     OutputStream responseBody = httpExchange.getResponseBody();
                     responseBody.write(key);
                     responseBody.close();
                 }
             }
             private void setHeader(HttpExchange httpExchange, byte[] key) throws IOException {
                 Headers responseHeaders = httpExchange.getResponseHeaders();
                 responseHeaders.set("Access-Control-Allow-Origin", "*");
                 httpExchange.sendResponseHeaders(HttpURLConnection.HTTP_OK, key.length);
             }
             /**
              * Call the decryption operation of KMS to decrypt the key and decode the key by using the Base64 algorithm.
              * @param ciphertext
              * @return
              */
             private byte[] decrypt(String ciphertext) {
                 DecryptKMSDataKeyRequest request = new DecryptKMSDataKeyRequest();
                 request.setCipherText(ciphertext);
                 request.setProtocol(ProtocolType.HTTPS);
                 try {
                     DecryptKMSDataKeyResponse response = client.getAcsResponse(request);
                     String plaintext = response.getPlaintext();
                     System.out.println("PlainText: " + plaintext);
                     // Note: You must decode the DK by using the Base64 algorithm.
                     return Base64.decodeBase64(plaintext);
                 } catch (ClientException e) {
                     e.printStackTrace();
                     return null;
                 }
             }
             /**
              * Check whether the token is valid.
              * @param token
              * @return
              */
             private boolean validateToken(String token) {
                 if (null == token || "".equals(token)) {
                     return false;
                 }
                 // TODO. You can customize the logic to check whether the token is valid.
                 return true;
             }
             /**
              * Obtain the ciphertext key from the video URL.
              * @param httpExchange
              * @return
              */
             private String getCiphertext(HttpExchange httpExchange) {
                 URI uri = httpExchange.getRequestURI();
                 String queryString = uri.getQuery();
                 String pattern = "CipherText=(\\w*)";
                 Pattern r = Pattern.compile(pattern);
                 Matcher m = r.matcher(queryString);
                 if (m.find())
                     return m.group(1);
                 else {
                     System.out.println("Not Found CipherText Param");
                     return null;
                 }
             }
             /**
              * Obtain the value of the token parameter.
              *
              * @param httpExchange
              * @return
              */
             private String getMtsHlsUriToken(HttpExchange httpExchange) {
                 URI uri = httpExchange.getRequestURI();
                 String queryString = uri.getQuery();
                 String pattern = "MtsHlsUriToken=(\\w*)";
                 Pattern r = Pattern.compile(pattern);
                 Matcher m = r.matcher(queryString);
                 if (m.find())
                     return m.group(1);
                 else {
                     System.out.println("Not Found MtsHlsUriToken Param");
                     return null;
                 }
             }
         }
         /**
          * Start the service.
          *
          * @throws IOException
          */
         private void serviceBootStrap() throws IOException {
             HttpServerProvider provider = HttpServerProvider.provider();
             // You can specify a custom port for listening. A web server can handle a maximum of 30 requests simultaneously on the same port.
             HttpServer httpserver = provider.createHttpServer(new InetSocketAddress(8099), 30);
             httpserver.createContext("/", new HlsDecryptHandler());
             httpserver.start();
             System.out.println("hls decrypt server started");
         }
         public static void main(String[] args) throws IOException {
             HlsDecryptServer server = new HlsDecryptServer();
             server.serviceBootStrap();
         }}

   • M3U8 encryption and rewrite not enabled

     Show sample code in Java

     The following table describes the parameters in the sample code that you can change based on your business requirements.

     Parameter	Description
     region	The region ID. KMS and ApsaraVideo VOD must be activated in the same region. For example, if you activate KMS and ApsaraVideo VOD in the China (Shanghai) region, specify cn-shanghai for this parameter. For more information about the IDs of other regions, see Region IDs of ApsaraVideo VOD.
     AccessKey	The AccessKey ID and AccessKey secret of your Alibaba Cloud account or RAM user. For more information about how to obtain the AccessKey pair, see Obtain an AccessKey pair.
     httpserver	The port number that you want to use to activate the service.

     import com.aliyuncs.DefaultAcsClient;
     import com.aliyuncs.exceptions.ClientException;
     import com.aliyuncs.http.ProtocolType;
     import com.aliyuncs.profile.DefaultProfile;
     import com.aliyuncs.vod.model.v20170321.DecryptKMSDataKeyRequest;
     import com.aliyuncs.vod.model.v20170321.DecryptKMSDataKeyResponse;
     import com.sun.net.httpserver.Headers;
     import com.sun.net.httpserver.HttpExchange;
     import com.sun.net.httpserver.HttpHandler;
     import com.sun.net.httpserver.HttpServer;
     import com.sun.net.httpserver.spi.HttpServerProvider;
     import org.apache.commons.codec.binary.Base64;
     
     import java.io.IOException;
     import java.io.OutputStream;
     import java.net.HttpURLConnection;
     import java.net.InetSocketAddress;
     import java.net.URI;
     import java.util.regex.Matcher;
     import java.util.regex.Pattern;
     
     public class HlsDecryptServerNoToken {
     
         private static DefaultAcsClient client;
         static {
             // The region where KMS is used. The region must be the same as the region where the video resides.
             String region = "cn-beijing";
             // The AccessKey pair that is used to authorize access to KMS.
             // The AccessKey pair of an Alibaba Cloud account has access permissions on all API operations. We recommend that you use the AccessKey pair of a RAM user to call API operations or perform routine O&M. 
             // We recommend that you not include your AccessKey pair (AccessKey ID and AccessKey secret) in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised. 
             // In this example, ApsaraVideo VOD reads the AccessKey pair from the environment variables to implement identity verification for API access. Before you run the sample code, configure the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET. 
             String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
             String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
             client = new DefaultAcsClient(DefaultProfile.getProfile(region, accessKeyId, accessKeySecret));
         }
         /**
          * Note:
          * 1. Receive a decryption request and obtain the ciphertext key and token.
          * 2. Call the decryption operation of KMS to obtain the plaintext key.
          * 3. Decode the plaintext key by using the Base64 algorithm and return the decoded key.
          */
         public class HlsDecryptHandler implements HttpHandler {
             /**
              * Process the decryption request.
              * @param httpExchange
              * @throws IOException
              */
             public void handle(HttpExchange httpExchange) throws IOException {
                 String requestMethod = httpExchange.getRequestMethod();
                 if ("GET".equalsIgnoreCase(requestMethod)) {
     
                     // Obtain the ciphertext key from the video URL.
                     String ciphertext = getCiphertext(httpExchange);
                     System.out.println(ciphertext);
                     if (null == ciphertext)
                         return;
                     // Decrypt the key in KMS and decode the key by using the Base64 algorithm.
                     byte[] key = decrypt(ciphertext);
                     // Configure the header.
                     setHeader(httpExchange, key);
                     // Return the key that is decoded by using the Base64 algorithm.
                     OutputStream responseBody = httpExchange.getResponseBody();
                     responseBody.write(key);
                     responseBody.close();
                 }
             }
             private void setHeader(HttpExchange httpExchange, byte[] key) throws IOException {
                 Headers responseHeaders = httpExchange.getResponseHeaders();
                 responseHeaders.set("Access-Control-Allow-Origin", "*");
                 httpExchange.sendResponseHeaders(HttpURLConnection.HTTP_OK, key.length);
             }
             /**
              * Call the decryption operation of KMS to decrypt the key and decode the plaintext key by using the Base64 algorithm.
              * @param ciphertext
              * @return
              */
             private byte[] decrypt(String ciphertext) {
     
                 DecryptKMSDataKeyRequest request = new DecryptKMSDataKeyRequest();
                 request.setCipherText(ciphertext);
                 request.setProtocol(ProtocolType.HTTPS);
                 try {
                     DecryptKMSDataKeyResponse response = client.getAcsResponse(request);
                     String plaintext = response.getPlaintext();
                     System.out.println("PlainText: " + plaintext);
                     // Note: You must decode the key by using the Base64 algorithm.
                     return Base64.decodeBase64(plaintext);
                 } catch (ClientException e) {
                     e.printStackTrace();
                     return null;
                 }
             }
     
             /**
              * Obtain the ciphertext key from the video URL.
              * @param httpExchange
              * @return
              */
             private String getCiphertext(HttpExchange httpExchange) {
                 URI uri = httpExchange.getRequestURI();
                 String queryString = uri.getQuery();
                 String pattern = "CipherText=(\\w*)";
                 Pattern r = Pattern.compile(pattern);
                 Matcher m = r.matcher(queryString);
                 if (m.find())
                     return m.group(1);
                 else {
                     System.out.println("Not Found CipherText Param");
                     return null;
                 }
             }
         }
     
         /**
          * Start the service.
          *
          * @throws IOException
          */
         private void serviceBootStrap() throws IOException {
             HttpServerProvider provider = HttpServerProvider.provider();
             // You can specify a custom port for listening. A web server can handle a maximum of 30 requests simultaneously on the same port.
             HttpServer httpserver = provider.createHttpServer(new InetSocketAddress(8099), 30);
             httpserver.createContext("/", new HlsDecryptHandler());
             httpserver.start();
             System.out.println("hls decrypt server started");
         }
         public static void main(String[] args) throws IOException {
             HlsDecryptServerNoToken server = new HlsDecryptServerNoToken();
             server.serviceBootStrap();
         }}
     

2. Obtain the playback URL and credential of a video.

   Call the GetVideoPlayAuth operation to obtain the playback credential and call the GetPlayInfo operation to obtain the playback URL.

3. Play the encrypted video.

   HLS encryption supports all HLS-compatible players. You can use a self-developed player or ApsaraVideo Player to play encrypted videos.

   If you use ApsaraVideo Player to play encrypted videos, you must obtain the token and authentication information. For more information, see Play an encrypted video. If you use a third-party player, specify the playback logic.

   The following procedure describes how ApsaraVideo Player tests the playback:

   (Recommended) M3U8 encryption and rewrite enabled

   Process

   • After the player obtains the URI of the M3U8 file, the player parses and accesses the URI in the EXT-X-KEY tag of the M3U8 file. This way, the player obtains the URI of the decryption operation that contains the EDK. This URI is the value of the DecryptKeyUri parameter in EncryptConfig that you specify when you start HLS encryption.

   • If you want to allow only authorized users to access the video, the player must provide accurate authentication information that you can confirm when the player obtains the decryption key. The authentication information can be passed by using the MtsHlsUriToken parameter.

   • After the player obtains the decryption URI, the player automatically sends a request to obtain the decryption key. After the player obtains the decryption key, the player decrypts the encrypted TS file for playback.

   Examples

   • The video playback URL is https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8. The request must contain the MtsHlsUriToken parameter.

   • The final request URL is https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8?MtsHlsUriToken=<Token>.

   • The decryption URL is https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****.

   • The final request URL for decryption is https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****&MtsHlsUriToken=<The issued token>.

   M3U8 encryption and rewrite not enabled

   Process

   • After the player obtains the URL of the M3U8 file, the player parses and accesses the URL in the EXT-X-KEY tag of the M3U8 file. This way, the player obtains the decryption URL with the ciphertext key included. The decryption URL is the value of DecryptKeyUri in EncryptConfig that you pass when you start HLS encryption. For more information, see Request parameters.

   • After the player obtains the decryption URI, the player automatically sends a request to obtain the decryption key. After the player obtains the decryption key, the player decrypts the encrypted TS file for playback.

   Examples

   • The video playback URL is https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8.

   • The final request URL is https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8.

   • The decryption URL is https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****.

   • The final request URL for decryption is https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****.

References

Play an encrypted video