Last update:2024-04-28 11:40:16
HLS AES encryption refers to video streaming using HLS protocol, where the video files are encrypted by using AES-128 algorithms. There are many types of encryption algorithms, and the most common used method for HLS is AES-128. Advanced Encryption Standard (AES) is a block cipher that encrypts and decrypts data in 128-bit blocks. As AES is a symmetric key algorithm, there needs to be a secret key used for both encryption and decryption. That means the broadcaster encrypts the video using the key and the viewer’s browser decrypts it using the same key.
In HLS, the EXT-X-KEY
tag in the m3u8 playlist provides essential information enabling players to decrypt video content. This tag specifies the encryption method (METHOD
) and the key location (URI
). For example:
#EXT-X-KEY:METHOD=AES-128,URI="https://keypathURI/hls_aes.key",IV=0x00000000000000000000000000000000
After encryption, the player requests the decryption key from the server address specified by URI
before playing the video file.
Implementing HLS AES encryption requires transcoding your original video to an ecrypted one using media processing. Before you start, please ensure:
For guidance on using media processing, please refer to How to Make Video Processing API Requests.
In the majority of scenarios, media processing is conducted via APIs. To utilize the HLS AES encryption API, it’s mandatory to incorporate the AES key value (hlsKey) within the request body. This key serves the dual purpose of encrypting and decrypting the video content. To safeguard the AES key from potential interception during API calls, it should be encrypted using RSA prior to initiating the API request. Start this process by generating the requisite RSA keys following the steps below:
Run the following commands to generate a private key and a public key:
# Generate private key
openssl genrsa -out private.key 2048
# Generate public key
openssl rsa -in private.key -pubout -out pub.key
Keep the generated private.key
and pub.key
files securely for future use.
In order that we can successfully encrypt your video, you are required to provide your RSA private key to our backend. Begin by encoding the content of the private key file in Base64 format. Subsequently, forward this encoded value to our customer service team, enabling them to configure it within our system’s backend. For comprehensive instructions on reading the RSA private key file and encoding it in Base64, please consult our RSA Private Key Example.
Fops, or file operation parameters, play a crucial role in on-demand file processing by instructing our media processing server on the specific actions to take with your file. When utilizing the Media Processing API for video encryption, structure your request body by employing fops in the manner outlined below:
<op>/<Format>
/hlsKey/<hlsKey>
/hlsKeyUrl/<hlsKeyUrl>
|saveas/<Urlsafe_Base64_Encode(bucket:filekey)>
The hlsKey
refers to the previously discussed AES key value. To ensure security, encrypt the raw plaintext value of this key using OAEP padding along with Base64 encoding, employing your RSA public key for this purpose. Here is an example to illustrate, with the plaintext value of this key being 01234566543210abcdef888888abcdef
:
openssl rand -hex 16
echo -n "01234566543210abcdef888888abcdef" | openssl rsautl -encrypt -pubin -inkey pub.key -oaep | openssl base64 -A | tr "+/" "-_"
The resulting encrypted hlsKey
can be used in your fops structure.
The hlsKeyUrl
serves as the URL for retrieving the decryption key. Once the encryption process of the video is finalized, this URL is incorporated into the HLS m3u8 file. When it comes to video playback, the player acquires the necessary decryption key via this URL. You are afforded the flexibility to either employ the address of your proprietary key management server as the hlsKeyUrl
value or opt to upload the key to an Object Storage bucket and utilize that address. For instance, should you wish to store the plaintext value of the hlsKey
, 01234566543210abcdef888888abcdef
, as a file, the subsequent command can be executed to generate the key file:
echo -ne "\x01\x23\x45\x66\x54\x32\x10\xab\xcd\xef\x88\x88\x88\xab\xcd\xef" > key.hex
Upload this key file to your Object Storage bucket and use its accessible URL as the hlsKeyUrl
, such as:
https://bucketname.s3-cn-north-1.wcsapi.com/key.hex
Use the following API request to encrypt the video file stored in the vod-wcs-test001
bucket named test_hls.m3u8
:
curl -v -X POST \
-d "bucket=Urlsafe_Base64_Encode(vod-wcs-test001)&key=Urlsafe_Base64_Encode(test_hls.m3u8)&fops=Urlsafe_Base64_Encode(avthumb/m3u8/hlsKey/encrypted hlsKey/hlsKeyUrl/https://bucketname.s3-cn-north-1.wcsapi.com/key.hex|saveas/Urlsafe_Base64_Encode(vod-wcs-test001:hls_aes_.m3u8))&force=1&separate=1" \
-H "Authorization: AccessKey EncodeSign" \
--url "http://mgrDomain/fops"
After successful transcoding, the output video will be deposited in the designated bucket. Correspondingly, your HLS video m3u8 file will incorporate the EXT-X-KEY field, signaling that the video is encrypted.