HTTP Live Streaming (HLS) encryption uses AES-128 to encrypt video content and supports all HLS-compatible players. HLS encryption must be used together with Key Management Service (KMS) and the token service. This encryption method is widely used in fields that require high security, such as online education and TV shows. This topic describes how to use HLS encryption and play HLS-encrypted videos.
Upgrade description
The HLS encryption feature of ApsaraVideo VOD was upgraded in August 2022. While you can still use the old encryption procedure, we recommend that you use the new procedure where the encryption process and logic are improved. If you want to use the old encryption procedure, see HLS encryption.
How HLS encryption works
ApsaraVideo VOD uses the envelope encryption technology to encrypt videos. You can use KMS to generate a data key (DK) and an enveloped data key (EDK). Then, you can use the DK to encrypt a video, and store the encrypted video together with the EDK. If you play a video, the player uses a decryption service to obtain the DK and decrypt the video.
If you want to verify the URL for decryption, you can enable M3U8 encryption and rewrite to protect the HLS content. By default, MtsHlsUriToken
is rewritten. For more information about how to enable M3U8 encryption and rewrite and the technical principles, see M3U8 encryption and rewrite.
Encryption and decryption process
Upload and encryption
Decryption and playback
(Recommended) M3U8 encryption and rewrite enabled
M3U8 encryption and rewrite not enabled
Prerequisites
ApsaraVideo VOD is activated. For more information, see Activate ApsaraVideo VOD.
ApsaraVideo VOD is authorized to access KMS. You can authorize ApsaraVideo VOD to access KMS on the Cloud Resource Access Authorization page.
An accelerated domain name is added to ApsaraVideo VOD. For more information, see Add a domain name for CDN.
The ApsaraVideo VOD SDK is integrated. For more information, see Overview. This topic uses ApsaraVideo VOD SDK for Java as an example.
Encrypt a video
Create a service key.
A service key is used as the primary encryption key in KMS. You must create a service key to generate keys for HLS encryption. If you do not create a service key, an error occurs when you call the GenerateKMSDataKey operation to generate a DK.
Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > HLS Encryption.
In the upper-left corner of the page, select the region in which you want to create a service key.
NoteA service key must be created in the same region as the origin server where videos are stored. For example, if videos are stored in the China (Shanghai) region, you must create a service key in the China (Shanghai) region.
On the HLS Encryption page, click Create Service Key.
After the service key is created, the system prompts The service key is created. You can view the service key in the Key Information section.
NoteIf the service key is not displayed in the Key Information section, check whether you have attached the AliyunVODDefaultRole policy to the role. You can grant the role permissions on the Cloud Resource Access Authorization page and refresh the HLS Encryption page to view the service key.
Create a transcoding template group for HLS encryption.
The No Transcoding template group and a transcoding template group for HLS encryption are required.
The No Transcoding template group is a preset template group. You must create a transcoding template group for HLS encryption. To create a transcoding template group, perform the following steps:
Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > Transcoding Template Groups.
On the Transcoding Template Groups page, click Create Transcoding Template Group.
In the Basic Parameters section, set Encapsulation Format to hls. In the Advanced Parameters section, turn on Video Encryption and select Alibaba Cloud Proprietary Cryptography. Set other parameters based on your business requirements. For more information about the parameters, see Configure regular transcoding template groups.
After the template is created, view the ID of the transcoding template group on the Transcoding Template Groups page. The ID is required when you request HLS encryption.
Set up a key management service that encapsulates Alibaba Cloud KMS.
Call the GenerateKMSDataKey operation to generate a DK and an EDK.
You do not need to specify request parameters when you call GenerateKMSDataKey. The
CiphertextBlob
parameter in the response indicates the EDK andPlaintext
indicates the DK.CiphertextBlob
is an AES_128 key. The EDK is required when you request HLS encryption.Use the No Transcoding transcoding template group to upload a video.
Usually, automatic transcoding is triggered for videos that are uploaded to ApsaraVideo VOD. However, HLS encryption does not support videos that are automatically transcoded. Therefore, you must use the No Transcoding template group to upload videos for which HLS encryption is required. This way, automatic transcoding is not triggered.
For more information about how to upload media files by using the ApsaraVideo VOD console, see Upload media files by using the ApsaraVideo VOD console. For more information about how to upload media files by using the ApsaraVideo VOD API, see Media upload.
Configure event notifications in ApsaraVideo VOD. When a FileUploadComplete callback is returned, the video is uploaded. For more information about how to configure event notifications, see Overview.
Start HLS encryption.
Call the SubmitTranscodeJobs operation to start HLS encryption.
If you have configured event notifications in ApsaraVideo VOD, the video is transcoded when the StreamTranscodeComplete or TranscodeComplete callback is returned.
View the result of HLS encryption.
After the video is transcoded, use one of the following methods to check whether HLS encryption is successful.
Method 1: Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Media Files > Audio/Video. On the Video and Audio page, find the video and click Manage in the Actions column. On the Video URL tab, if video outputs in formats that include MP4 exist, and HLS Encryption is tagged on the M3U8 file, HLS encryption is successful.
Method 2: Copy the URL of the M3U8 file that is tagged HLS Encryption, run the
curl -v "URL of the M3U8 file"
command, and then check the result. Ifthe decryption URL that you specify when you start HLS encryption is the same as the value of DecryptKeyUri
, HLS encryption is successful.
Play an HLS-encrypted video
Set up a decryption service.
Set up a local HTTP service to decrypt the video.
Call the DecryptKMSDataKey operation to decrypt the video. The DK is returned in the response. The DK is the Base64-decoded value of the
PlainText
parameter returned in the response to the GenerateKMSDataKey operation.If you want to verify the URL for decryption, you can enable M3U8 encryption and rewrite to protect the HLS content. By default,
MtsHlsUriToken
is rewritten. For more information about how to enable M3U8 encryption and rewrite and the technical principles, see M3U8 encryption and rewrite. The code used to set up the decryption service varies based on whether you have enabled M3U8 encryption and rewrite. The following section describes the sample code:(Recommended) M3U8 encryption and rewrite enabled
M3U8 encryption and rewrite not enabled
Obtain the playback URL and credential of a video.
Call the GetVideoPlayAuth operation to obtain the playback credential and call the GetPlayInfo operation to obtain the playback URL.
Play the encrypted video.
HLS encryption supports all HLS-compatible players. You can use a self-developed player or ApsaraVideo Player to play encrypted videos.
If you use ApsaraVideo Player to play encrypted videos, you must obtain the token and authentication information. For more information, see Play an encrypted video. If you use a third-party player, specify the playback logic.
The following procedure describes how ApsaraVideo Player tests the playback:
(Recommended) M3U8 encryption and rewrite enabled
Process
After the player obtains the URI of the M3U8 file, the player parses and accesses the URI in the EXT-X-KEY tag of the M3U8 file. This way, the player obtains the URI of the decryption operation that contains the EDK. This URI is the value of the
DecryptKeyUri
parameter in EncryptConfig that you specify when you start HLS encryption.If you want to allow only authorized users to access the video, the player must provide accurate authentication information that you can confirm when the player obtains the decryption key. The authentication information can be passed by using the MtsHlsUriToken parameter.
After the player obtains the decryption URI, the player automatically sends a request to obtain the decryption key. After the player obtains the decryption key, the player decrypts the encrypted TS file for playback.
Examples
The video playback URL is
https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8
. The request must contain theMtsHlsUriToken
parameter.The final request URL is
https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8?MtsHlsUriToken=<Token>
.The decryption URL is
https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****
.The final request URL for decryption is
https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****&MtsHlsUriToken=<The issued token>
.
M3U8 encryption and rewrite not enabled
Process
After the player obtains the URL of the M3U8 file, the player parses and accesses the URL in the
EXT-X-KEY
tag of the M3U8 file. This way, the player obtains the decryption URL with the ciphertext key included. The decryption URL is the value ofDecryptKeyUri
in EncryptConfig that you pass when you start HLS encryption. For more information, see Request parameters.After the player obtains the decryption URI, the player automatically sends a request to obtain the decryption key. After the player obtains the decryption key, the player decrypts the encrypted TS file for playback.
Examples
The video playback URL is
https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8
.The final request URL is
https://demo.aliyundoc.com/encrypt-stream****-hd.m3u8
.The decryption URL is
https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****
.The final request URL for decryption is
https://demo.aliyundoc.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOT****
.