This topic describes the benefits, the overall architecture, and access methods of Alibaba Cloud proprietary cryptography. This topic also introduces best practices to enhance solutions.

Background information

Users can pay a one-time fee for a video and download the video file from the streaming URL that has hotlink protection. However, distribution of the video file cannot be controlled after the video file is downloaded from the streaming URL. Therefore, hotlink protection is far from enough to protect video copyrights.


Alibaba Cloud proprietary cryptography encrypts video data. Video files downloaded to a local device are encrypted, which prevents unauthorized redistribution. Video encryption prevents video leakage and hotlinking. You can apply video encryption to a wide range of online copyrighted video fields such as online education, finance, industry training, and premium TV shows.

Alibaba Cloud utilizes the proprietary cryptography algorithm to provide a high level of security, which allows you to protect your video resources in a convenient, efficient, and secure manner.

  • Each media file has a dedicated encryption key. This prevents a large number of video files from being exposed if a single key is leaked.
  • ApsaraVideo VOD provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.
  • ApsaraVideo VOD uses ciphertext and plaintext keys to provide an envelope encryption system. The plaintext keys are not stored and are used only to process data in the memory.
  • ApsaraVideo VOD provides secure player kernel SDKs.

Overall architecture

Alibaba Cloud proprietary cryptography consists of two parts: encryption and transcoding, and decryption and playback.

  • Encryption and transcoding
    1. A video encryption request is initiated in the application background

      You submit a transcoding job that requires data encryption.

    2. ApsaraVideo VOD obtains the encryption key

      ApsaraVideo VOD uses Key Management Service (KMS) to generate a plaintext key and a ciphertext key.

    3. Video encryption and transcoding

      ApsaraVideo VOD uses the plaintext key to encrypt the video file. After the video file is transcoded, the plaintext key is discarded.

    4. Message notification after transcoding completion

      ApsaraVideo VOD saves the encrypted video file and sends you a notification.

  • Decryption and playback
    1. Authorization

      When a user requests to play a video by using a mobile application or web page, the request is first sent to your API or backend page. You can configure permission control to manage content. For example, you can require users to log on before they can play the video. We recommend that you configure HTTPS for your added domain name for Content Delivery Network (CDN). If the playback request is authorized, the AccessKey of the RAM user is used to access ApsaraVideo VOD and obtain a playback credential. Then, the playback credential is sent to the mobile application or web page.

    2. Obtain the streaming URL

      The mobile application or web page sends the playback credential and media ID to ApsaraVideo Player. ApsaraVideo Player SDK proceeds with the following operations:

      • Obtain the streaming URL for the specific video format and definition from ApsaraVideo VOD based on the media ID.
      • Obtain the encryption key of the encrypted video.
    3. Decryption and playback

      ApsaraVideo VOD provides secure player kernel SDKs, which use the encryption key to decrypt and play the video.

  • The output files after the video is encrypted must be in the HLS format.
  • You must use the iOS, Android, HTML5, and Flash players provided by ApsaraVideo VOD to decrypt and play encrypted videos.

Access method


  1. ApsaraVideo VOD is activated.

  2. Add a domain name for CDN

  3. A CNAME record is bound to the domain name for CDN that is added to ApsaraVideo VOD. For more information, see Configure a CNAME record in Alibaba Cloud DNS.

Access process:

  1. On the Added transcoding template group page in the console, click Add template. For more information, see Manage transcoding settings.
    • Set the Encapsulation Format parameter in the Basic parameters section to hls.
    • In the Advanced Parameters section, turn on Video Encryption to encrypt video data.
  2. Video upload

    To upload a video to ApsaraVideo VOD, you can use an SDK, an API, the ApsaraVideo VOD console, or an Object Storage Service (OSS) tool. For more information, see Overview.

  3. Video transcoding

    After the video is uploaded, the video is transcoded. The transcoded video is marked as Normal and is available for playback. For more information, see Manage transcoding settings.

  4. Video playback

    ApsaraVideo VOD provides player SDKs that can be integrated on multiple platforms, which include iOS, Android, HTML5, and Flash. You can use the required player SDK to play the video on your application or web page.

    Note Playback credentials are required to play encrypted videos. You can call the API or SDK to obtain the playauth parameter required by different players. For more information, see GetVideoPlayAuth.
    • Web player (HTML5/Flash): In the left-side navigation pane, choose Media Files > Video and Audio. On the Video and Audio page, click Manage in the Actions column. Then, click the Web Player Code tab. To embed a video player on your web page, you can integrate the web player code snipped on your web page. For more information, see Integration.
    • Mobile players (iOS or Android): You can integrate the SDK into your application. For more information about the Android player, see Integration. For more information about the iOS player, see Integration.
  5. Video-stream management
    After the video is encrypted and transcoded, the video is marked as Encrypt in the playback information. For more information, see PlayInfo. The video is also marked as Alibaba Cloud Proprietary Cryptography in the console to facilitate content management in multiple ways. Alibaba Cloud proprietary cryptography

Solution enhancement

If users want to download videos for offline playback, we recommend that you set the Download Mode parameter to Encrypted to protect your videos. For more information, see Configure offline download. This option uses a key to perform a secondary encryption on video files. After a video is downloaded, ApsaraVideo Player SDK decrypts the video that allows the video to be played only by the specified application. This way, the copyright of offline videos is protected.