Video encryption protects the content of videos. You can encrypt a video to prevent video leaks and hotlinking. The video encryption feature is widely used to protect videos in fields such as online education and finance. ApsaraVideo Media Processing (MPS) supports two encryption methods: Alibaba Cloud proprietary cryptography and HTTP-Live-Streaming (HLS) encryption. This topic describes how to encrypt a video by using HLS encryption.

Limits

You can generate encrypted videos only in the M3U8 format by using HLS encryption.

Usage notes

You can select HLS encryption when you create a workflow in the MPS console. After that, if the path of an uploaded video matches the input path specified for the workflow, the workflow is automatically triggered and the video is encrypted by using HLS encryption.

Preparations

Before you use HLS encryption in MPS, make the following preparations:

  1. Activate relevant Alibaba Cloud services, including MPS, OSS, KMS, RAM, and Alibaba Cloud CDN.
    If you have not activated these services, perform the following steps:
    1. Activate MPS. For more information, see Activate MPS.
    2. Activate OSS. For more information, see Activate OSS.
    3. Activate KMS. For more information, see Activate KMS.
    4. Activate RAM and grant required permissions. For more information, see Create a RAM role for a trusted Alibaba Cloud account and authorize the RAM role to access MPS.
    5. Activate Alibaba Cloud CDN. For more information, see Activate Alibaba Cloud CDN.
  2. Grant KMS access permissions to MPS.
    1. Log on to the RAM console.
    2. Click Authorize in the left-side navigation pane. On the Grants page, click Grant Permission to go to the Authorize page.
    3. Enter AliyunMTSDefaultRole in the Principal search box. Select a role that is created by the system and can be used in MPS.
    4. Enter KMS in the search box in the Select Policy section. Select AliyunKMSFullAccess, and click OK.
    Then, MPS are granted the permissions to access KMS. After MPS receives a video encryption request, MPS can call a KMS operation to obtain the DK.
  3. Configure a domain name for CDN for the OSS bucket that stores output files, and configure the origin host for the domain name for CDN. For more information, see Configure a domain name for CDN. If the domain name for CDN and the origin host are configured, skip this step.
    Note You can enter the public domain name of the OSS bucket, such as exampleBucket****.oss-cn-hangzhou.aliyuncs.com. You can obtain the public domain name in the OSS console. Alternatively, you can select the OSS bucket that stores output files and requires content delivery acceleration within the same Alibaba Cloud account. Internal domain names of OSS buckets are not supported.

Configure video encryption settings

  1. Create a workflow for HLS encryption.
    For more information about how to create a workflow, see Create a workflow. When you create a workflow, you must perform the following steps to complete configurations of video encryption:
    1. In the Encoding panel of the Encode node, click Advanced Settings.
    2. Turn on Encryption.
    3. Select HLS Standard Encryption as the encryption method and enter the URI of your DK in the Key URI field. Encryption method
      Encryption methodDescription
      HLS Standard EncryptionThis encryption method encrypts videos based on the HLS protocol. You must keep your DK confidential. For example, you can set limits on logon cookies and referers. This encryption method provides a low level of security protection. If you select HLS encryption, you must set the Key URI parameter.
      Important The Key URI parameter indicates the URI of your DK.
    4. Set other parameters as needed and click OK.
    5. Click the Pen icon next to Publish.
    6. Set the Publish Type parameter to Auto. This way, each video can be played immediately after it is transcoded.
  2. Upload a video to the input path specified for the created workflow to transcode and encrypt the video. For more information, see Upload a video.
    After the workflow is configured and saved, transcoding and encryption are automatically triggered when a video is uploaded to the specified path. If you want to encrypt existing videos that are uploaded to Object Storage Service (OSS) but not processed, you must specify the workflow when you submit a transcoding job. This way, the workflow is triggered and run to encrypt existing videos. For more information, see HLS encryption.

Upload a video

After you configure video encryption settings for a workflow, you can upload a video. Then, MPS automatically transcodes and encrypts the video.

  1. You can upload a video in the MPS console or OSS console.
  2. After a video is uploaded, the video is in the Initialized state.
    Note If you set the Publish Type parameter to Auto when you configure a workflow, the Initialized state is displayed in the Publish Status column that corresponds to the uploaded video. If you set the Publish Type parameter to Manual for a workflow, the Unpublished state is displayed in Publish Status column that corresponds to the uploaded video. You must set the Publish Type parameter to Auto when you configure a workflow for video encryption.
    Initialized state
  3. Verify that the video is automatically published after it is transcoded. The Published state is displayed in the Publish Status column that corresponds to the video. Then, you can play the video as needed. Published state

Play an encrypted video

You can use ApsaraVideo Player or other players to play a video that is encrypted by using HLS encryption. For more information, see Encrypt a video by using HLS encryption and play the encrypted video.