All Products
Search

This Product

    ApsaraVideo Media Processing:HLS encryption

    Document Center

    ApsaraVideo Media Processing:HLS encryption

    Last Updated:Apr 02, 2024

    Video encryption protects the content of videos. You can encrypt a video to prevent video leaks and hotlinking. The video encryption feature is widely used to protect videos in fields such as online education and finance. ApsaraVideo Media Processing (MPS) supports two encryption methods: Alibaba Cloud proprietary cryptography and HTTP-Live-Streaming (HLS) encryption. This topic describes how to encrypt a video by using HLS encryption in the MPS console.

    Limits

    You can generate encrypted videos only in the M3U8 format by using HLS encryption.

    Usage notes

    You can select HLS encryption when you create a workflow in the MPS console. After the workflow is created, if the path of an uploaded video matches the input path specified for the workflow, the workflow is automatically triggered and the video is encrypted by using HLS encryption.

    Preparations

    Before you use HLS encryption in MPS, make the following preparations:

    1. Activate relevant Alibaba Cloud services, including MPS, OSS, KMS, RAM, and Alibaba Cloud CDN.

      If you have not activated these services, perform the following steps:

      1. Activate MPS. For more information, see Activate MPS.

      2. Activate OSS. For more information, see Activate OSS.

      3. Activate KMS. For more information, see Purchase a dedicated KMS instance.

      4. Activate Alibaba Cloud CDN. For more information, see Activate Alibaba Cloud CDN.

    2. Grant MPS the permissions to access KMS.

      1. Log on to the RAM console.

      2. In the left-side navigation pane, choose Permissions > Authorize. On the Permission page, click Grant Permission. The Authorize panel appears.

      3. In the Principal search box, enter AliyunMtsDefaultRole and select a role that is created by the system and can be used in MPS.

      4. In the search box of the Select Policy section, enter KMS. Select AliyunKMSFullAccess and click OK.

      Then, MPS is granted the permissions to access KMS. After MPS receives a video encryption request, MPS can call the Decrypt operation of KMS to obtain the DK.

    3. Configure a CDN-accelerated domain name for the OSS bucket that stores output files, and configure the origin host for the CDN-accelerated domain name. For more information, see Configure a domain name for CDN. If the CDN-accelerated domain name and the origin host are configured, skip this step.

      Note

      You can enter the public domain name of the OSS bucket, such as exampleBucket****.oss-cn-hangzhou.aliyuncs.com. You can obtain the public domain name in the OSS console. Alternatively, you can select the OSS bucket that stores output files and requires content delivery acceleration within the same Alibaba Cloud account. Internal domain names of OSS buckets are not supported.

    Configure video encryption settings

    1. Create a workflow for HLS encryption.

      For more information about how to create a workflow, see Create a workflow. When you create a workflow, perform the following steps to configure the settings of video encryption:

      1. In the Encoding panel of the Encode node, click Advanced Settings.

      2. Turn on Encryption.

      3. Select HLS Standard Encryption as the encryption method and enter the uniform resource identifier (URI) of your data key (DK) in the Key URI field.

        Encryption method

        Description

        HLS Standard Encryption

        This encryption method encrypts videos based on the HLS protocol. You must keep your DK confidential. For example, you can set limits on logon cookies and referers. This encryption method provides a low level of security protection. If you select HLS encryption, you must configure the Key URI parameter.

        Important

        The Key URI parameter indicates the actual endpoint of the decryption. Example: http://127.0.0.1/decrypt.

      4. Set other parameters as needed and click OK.

      5. Click the Pen icon next to Publish.

      6. Set the Publish Type parameter to Auto. This way, each video can be played immediately after it is transcoded.

    2. Upload a video to the input path specified for the created workflow to transcode and encrypt the video. For more information, see Upload a video.

      After the workflow is configured and saved, transcoding and encryption are automatically triggered when a video is uploaded to the specified path. If you want to encrypt existing videos that are uploaded to Object Storage Service (OSS) but not processed, you must specify the workflow when you submit a transcoding job. This way, the workflow is triggered and run to encrypt existing videos. For more information, see HLS encryption.

    Upload a video

    After you configure video encryption settings for a workflow, you can upload a video. Then, MPS automatically transcodes and encrypts the video.

    1. You can upload a video in the MPS console or OSS console.

    2. After a video is uploaded, the video is in the Initialized state.

      Note

      If you set the Publish Type parameter to Auto when you configure a workflow, the Initialized state is displayed in the Publish Status column that corresponds to the uploaded video. If you set the Publish Type parameter to Manual for a workflow, the Unpublished state is displayed in Publish Status column that corresponds to the uploaded video. You must set the Publish Type parameter to Auto when you configure a workflow for video encryption.

      Initialized state

    3. Verify that the video is automatically published after it is transcoded. The Published state is displayed in the Publish Status column that corresponds to the video. Then, you can play the video as needed. Published state

    Play an encrypted video

    You can use ApsaraVideo Player or other players to play a video that is encrypted by using HLS encryption. For more information, see Perform HLS encryption and play an encrypted video.