All Products
Document Center

Alibaba Cloud video encryption

Last Updated: Sep 17, 2019


The leakage of video files may cause serious economic losses to businesses that charge users for watching videos. Users can pay a one-time fee for a video and download the video file from the legitimate playback URL with hotlinking protection. Then, redistribution becomes uncontrollable. In view of this point, the hotlinking protection solution is far from enough to protect video copyrights.

Alibaba Cloud video encryption service encrypts video data. Video files downloaded to a local device are encrypted, preventing unauthorized redistribution. Video encryption can effectively prevent video leakage and hotlinking. It can be applied to a wide range of online copyrighted video fields, including online education, finance, industry training, and premium TV shows.

Alibaba Cloud video encryption solution

Proprietary encryption algorithm

Alibaba Cloud’s private encryption algorithm features a high level of security, allowing you to protect your video resources in a convenient, efficient, and secure way.

Solution benefits


Each media file has a dedicated encryption key. This prevents the leakage of a large number of video files in case that the key for a single file is disclosed.


  • ApsaraVideo for VOD provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.

  • ApsaraVideo for VOD provides an envelope encryption system using ciphertext and plaintext keys. The plaintext keys are only used for processing in the memory but are not stored.

  • ApsaraVideo for VOD provides secure player kernel SDKs.


  • The output files of video encryption can only be in HLS format.

  • You must use the iOS, Android, HTML5, and Flash players provided by ApsaraVideo for VOD to decrypt and play encrypted videos.

Overall architecture

Alibaba Cloud video encryption solution consists of two parts: encryption and transcoding and decryption and playback.Architecture

Encryption and transcoding

  1. A video encryption request is initiated in the application background.

    You submit a transcoding job that requires data encryption.

  2. ApsaraVideo for VOD obtains the encryption key.

    ApsaraVideo for VOD generates a plaintext key and a ciphertext key by using Key Management Service (KMS).

  • Video encryption and transcoding

    ApsaraVideo for VOD uses the plaintext key to encrypt the video file. After transcoding is completed, the plaintext key is discarded, but not stored.

  • Message notification upon transcoding completion

    ApsaraVideo for VOD saves the encrypted video file and sends you a message notification.

Decryption and playback

  • Business authorization

    When a user requests to play a video through a mobile application or webpage, the request is first sent to your API or backend page. You can configure permission control as required. For example, you can require users to log on before they can play the video. We recommend that you configure HTTPS for your added CDN domain name. If the playback request is authorized, the RAM user’s AccessKey is used to access ApsaraVideo for VOD and obtain a playback credential. The playback credential is then sent to the mobile application or webpage.

  • Playback URL obtaining

    The mobile application or webpage sends the playback credential and media ID to ApsaraVideo Player. ApsaraVideo Player SDK proceeds with the following operations:

    • Obtains the playback URL for the matching video format and definition from ApsaraVideo for VOD based on the media ID.

    • Obtains the encryption key of the encrypted video.

  • Decryption and playback

    ApsaraVideo for VOD provides secure player kernel SDKs, which use the encryption key to decrypt and play the video.




  1. Select a transcoding template with encryption enabled.

    1. Log on to the ApsaraVideo for VOD console and choose Global Settings > Transcode.

    2. Click Edit.

    3. On the Transcoding Template page, choose the target transcoding template and click Edit.

    4. Click Advanced Parameters and turn on the Encryption switch to protect your videos with data encryption.Enable encryption

    5. Click Save.

    Note: Currently, the output files of video encryption can only be in HLS format.

  2. Upload a video.

    You can upload a video to ApsaraVideo for VOD by using an SDK, an API, the ApsaraVideo for VOD console, or a third-party OSS tool. For more information, click here.

  3. Transcode the video.

    After the video is uploaded, transcoding begins automatically. The transcoded video is marked as Normal and is available for playback. For more information, click here.

  4. Play the video.

    ApsaraVideo for VOD provides player SDKs that can be integrated on multiple platforms, including iOS, Android, HTML5, and Flash. You can use the required player SDK to play the video on your application or webpage.

    Note: Playback credentials are required for playing encrypted videos. You can call the API or SDK to obtain the playauth parameter required by different players. For more information, click here.

    • Web players (HTML5 or Flash): You can embed a video player on your webpage by integrating the web player code snippet provided on the Video Details page in Video Management. For more information, click here.
    • Mobile players (iOS or Android): ApsaraVideo for VOD provides new SDK, user can quickly integrate the SDK into your application. For more information about the Android player, click here. For more information about the iOS player, click here.
  5. Manage the video.

    After being encrypted and transcoded, the video is marked as Encrypted in the playback information. For more information, see PlayInfo. The video is also marked as Encrypted in the console to facilitate content management in multiple ways.3

Solution enhancement

If users need to download videos for offline playback, we recommend that you set Download Mode to Encrypted to protect your videos. This option uses a key to perform a secondary encryption on video files. After a video is downloaded, ApsaraVideo Player SDK decrypts the video so that the video can be played only by the specified application. In this way, the security of offline videos is protected.Enhancement