- Overall architecture
- 1. Configure transcoding templates.
- 2. Perform RAM authorization.
- 3. Create a service key.
- 4. Upload a video.
- 5. Receive the upload completion callback message.
- 6. Start standard HLS encryption and transcoding.
- 7. Play the video encrypted in standard HLS encryption mode.
- Other common issues
Video encryption is a means to protect video content. Video encryption can effectively prevent video leakage and hotlinking. Currently, video encryption is widely used in online education, finance, and other fields.
Note: ApsaraVideo for VOD currently supports private encryption and standard HLS encryption. This topic introduces standard HLS encryption.
Key Management Service (KMS) is a security management service that produces, encrypts, and decrypts DKs.
A data key (DK) is also called a plaintext key. It is used to encrypt data.
An Enveloped Data Key (EDK) is also called a ciphertext key. An EDK is a ciphertext key encrypted by using the envelop encryption technology.
Resource Access Management (RAM) is an Alibaba Cloud service designed for user identity management and resource access control.
- Construct a key management service that encapsulates Alibaba Cloud KMS to generate AES-128 keys. For more information, see GenerateDataKey.
- Construct a token issuance service to generate MtsHlsUriToken.
- Call the decryption operation of KMS to decrypt EDKs and obtain DKs. For more information, see Decrypt.
- Decode DKs by using Base64 and return the decoded keys to players.
Use standard HLS encryption according to the following procedure:
Standard HLS encryption requires two transcoding templates.
Log on to the ApsaraVideo for VOD console and choose Global Settings > Transcode. Create an HLS transcoding template with encryption enabled. You must turn on the Encryption switch. Otherwise, videos are unencrypted. For more information, see Transcoding settings. You can pass this template through the TemplateGroupId parameter when calling the SubmitTranscodeJobs operation. In this way, ApsaraVideo for VOD performs standard HLS encryption and transcoding based on the specified template and passed key information.The following figure shows how to create a transcoding template with encryption enabled.
You can activate the No Transcoding template by choosing Global Settings > Transcode in the ApsaraVideo for VOD console. The No Transcoding template is used for uploading videos.
Note: Currently, ApsaraVideo for VOD automatically transcodes uploaded videos by default. However, automatic transcoding does not support standard HLS encryption. To prevent automatic transcoding when you use standard HLS encryption, you need to use the No Transcoding template to upload videos. Then, you can call the SubmitTranscodeJobs operation to start standard HLS encryption and transcoding.
The following figure shows how to activate the No Transcoding template.
Note: If the No Transcoding template has been activated, you do not need to activate it again.
Use RAM to authorize ApsaraVideo for VOD to access your KMS, as shown in the following figure.
A service key is a primary encryption key used in KMS. You must use the service key to generate all the keys used in standard HLS encryption. Currently, you cannot create a service key in the ApsaraVideo for VOD console. You need to submit a ticket to apply for service key creation.
- The origin region of a service key must be the same as the storage location of videos. For example, if videos are stored in China (Shanghai), the service key must be in China (Shanghai).
You can view the service key in your KMS console. The primary encryption key described as vod is the service key. The following figure shows how to view the service key.
Note:When calling the GenerateDataKey operation, you only need to pass the KeyId (the service key) and KeySpec (the value is AES_128) parameters. Do not pass any other parameters. Otherwise, encryption may fail.
The GenerateDataKey operation returns a ciphertext key and a plaintext key. You need to pass only the ciphertext key to ApsaraVideo for VOD. For more information about the parameters to be passed, see EncryptConfig in SubmitTranscodeJobs. For more information about the sample code, see the standard HLS encryption demo in Media Processing.
- We strongly recommend that you cache the generated ciphertext key and plaintext key.
- Once created, the service key cannot be deleted or updated. It is used to generate encryption keys.
- For more information about key-related fees, see API calling fees in KMS pricing.
Use the No Transcoding template activated in step 1 to obtain the upload URL and credential. For more information about how to upload a video in the ApsaraVideo for VOD console, see console upload. For more information about how to upload a video by calling a server operation, see server upload.
The message indicates that the video file has been uploaded to ApsaraVideo for VOD.
Configure the upload completion event callback in the ApsaraVideo for VOD console. For more information, see Callback settings. After receiving the upload completion callback message, you can call the SubmitTranscodeJobs operation to start standard HLS encryption and transcoding.
Call the SubmitTranscodeJobs operation by passing the ID of the template created in step 1 and standard HLS encryption parameters to start standard HLS encryption and transcoding. For more information, see SubmitTranscodeJobs .
You can determine whether standard HLS encryption and transcoding are successful in the following ways:
- If only the M3U8 video is generated and the video status isChecking or Normal, standard HLS encryption and transcoding are probably successful. If standard HLS encryption and transcoding fail, the video is in the Transcoding Failed status.
- If videos in other formats are generated in addition to the M3U8 video, go to the video details page in the ApsaraVideo for VOD console and check whether an M3U8 file marked as Encrypted is generated. If so, standard HLS encryption and transcoding are probably successful.
- If you are still not sure after checking the result in the previous ways, copy the URL of the M3U8 file marked as Encrypted and run the curl -v “M3U8 file URL” command. Check whether the displayed M3U8 information contains the following information: URI=”
“, for example, URI=”http://decrypt.demo.com?CipherText=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMt.” If so, the file is encrypted in standard HLS encryption mode and the encryption is successful. For more information about the EncryptConfig parameter, see EncryptConfig.
To allow users to play the video encrypted in standard HLS encryption mode, you must first construct a decryption service by calling the decryption operation of KMS. For more information, see Decrypt. If you need to authenticate the player that requests decryption, construct a token issuance service and ensure that the issued token can be parsed and verified by the decryption service.
Note: The GenerateDataKey operation generates a ciphertext key and a plaintext key. The plaintext key is encoded in Base64. The decryption operation returns the key after decoding it by using Base64.
To rewrite a decryption request by adding the token, you need to use a CDN domain name. When requesting an M3U8 file URL, you need to pass the generated token in the MtsHlsUriToken parameter. Then, CDN automatically rewrites the decryption request by adding this parameter and sends the request.
- The function of rewriting a request by adding the MtsHlsUriToken parameter is disabled by default. You need to submit a ticket to enable this function.
- If you need to enable the function of rewriting a request by adding the MtsHlsUriToken parameter, do not enable the CDN domain name authentication function. Otherwise, the rewriting fails.
All players that support HLS can decrypt and play a video encrypted in standard HLS encryption mode. The procedure is as follows:
- The player calls the GetPlayInfo and GetVideoPlayAuth operations to obtain the video playback URL and credential.
- After obtaining the M3U8 file URL, the player parses and accesses the URI in the EXT-X-KEY tag of the M3U8 file. In this way, the player obtains the decryption operation URI with the ciphertext key. This decryption operation URI is the value of DecryptKeyUri in EncryptConfig that you pass when initiating standard HLS encryption. If you only allow authorized users to access the video, the player must provide the authentication information you acknowledge when it obtains the decryption key. The authentication information can be passed in the MtsHlsUriToken parameter.
- The video playback URL is https://vod.demo.com/encrypt-stream-hd.m3u8. The request must contain the MtsHlsUriToken parameter.
- The final requested URL is https://vod.demo.com/encrypt-stream-hd.m3u8?MtsHlsUriToken=The issued token. During playback, the player sends this URL to Alibaba Cloud CDN. After parsing the decryption operation URI from the M3U8 file, Alibaba Cloud CDN automatically concatenates the decryption operation URI with the MtsHlsUriToken parameter.
- The decryption URL is https://vod.decrypt.com?Ciphertext=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOTYyOT.
The final requested decryption URL is https://vod.decrypt.com?Ciphertext=ZjJmZGViNzUtZWY1Mi00Y2RlLTk3MTMtOTYyOT&MtsHlsUriToken=The issued token.
After obtaining the decryption operation URI, the player automatically requests the decryption operation to obtain the decryption key.
- After obtaining the decryption key, the player decrypts the encrypted TS file for playback.
You can use Alibaba Cloud Player Diagnostic Platform to quickly check whether an M3U8 file encrypted in standard HLS encryption mode can be played. Copy the M3U8 file URL (with the value of MtsHlsUriToken if any) to Alibaba Cloud Player Diagnostic Platform to check whether the file can be played.
Note: The playback needs to request the decryption operation. Therefore, ensure that the decryption service is normal.
SubmitTranscodeJobs returns KeyNotFound when the operation is called. In this case, contact ApsaraVideo for VOD technical support to create a service key in the required region, for example, China (Beijing) or China (Shanghai). The service key is used to generate encryption keys.
The generated file is unencrypted. In this case, verify that Encryption is enabled in the transcoding template. This option is required for both private encryption and standard HLS encryption. Output files are encrypted only after Encryption is enabled.
Encryption and transcoding fail because a custom string is used for generating the encryption key. The plaintext key for encryption must be generated by GenerateDataKey. You cannot use a custom string to generate an encryption key.
Standard HLS encryption and transcoding fail, and no encrypted file is generated. In this case, verify that the key type is set to AES_128 for the GenerateDataKey operation. If another key type is set, standard HLS encryption and transcoding fail, and no encrypted file is generated.
A video encrypted in standard HLS encryption mode fails to be decrypted for playback. In this case, verify that the decryption operation uses Base64 to decode the plaintext key generated by KMS before sending the key to the player. If the plaintext key is not decoded, the decryption fails.
Duplicate encrypted files
Duplicate encrypted files are generated. In this case, check whether the SubmitTranscodeJobs operation is called repeatedly. If this operation is called repeatedly, duplicate encrypted files are generated. Currently, standard HLS encryption and transcoding can be started only by users manually.