This topic describes the benefits, the overall architecture, and access methods of Alibaba Cloud proprietary cryptography. This topic also introduces best practices to enhance solutions.

Background information

Users can pay a one-time fee for a video file and download the video file from the URL that has hotlink protection. However, the distribution of the video file cannot be controlled after the video file is downloaded. Therefore, hotlink protection is not enough to protect video copyrights. The leakage of video files may cause serious economic losses to customers that charge users for watching videos.


Alibaba Cloud proprietary cryptography encrypts video data. Video files downloaded to a local device are encrypted, which prevents unauthorized redistribution. Video encryption prevents video leakage and hotlinking. You can apply video encryption to a wide range of online copyrighted video fields such as online education, finance, industry training, and premium TV shows.

Alibaba Cloud utilizes the proprietary cryptography algorithm to provide a high level of security, which allows you to protect your video resources in a convenient, efficient, and secure manner.

  • Each media file has a dedicated encryption key. This prevents a large number of video files from being exposed if a single key is leaked.
  • ApsaraVideo VOD provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.
  • ApsaraVideo VOD uses ciphertext and plaintext keys to provide an envelope encryption system. The plaintext keys are not stored and stay in the memory.
  • ApsaraVideo VOD provides secure player kernel SDKs.

Overall architecture

Alibaba Cloud proprietary cryptography consists of two parts: encryption and transcoding, and decryption and playback.

  • Encryption and transcoding
    1. A video encryption request is initiated in the application background

      You submit a transcoding job that requires data encryption. (Step 1 in the preceding figure)

    2. ApsaraVideo VOD obtains the encryption key

      ApsaraVideo VOD uses Key Management Service (KMS) to generate a plaintext key and a ciphertext key. (Step 2 in the preceding figure)

    3. Video encryption and transcoding

      ApsaraVideo VOD uses the plaintext key to encrypt the video file. After the video file is transcoded, the plaintext key is discarded. (Step 3 in the preceding figure)

    4. Message notification after transcoding completion

      ApsaraVideo VOD saves the encrypted video file and sends you a notification. (Step 4 in the preceding figure)

  • Decryption and playback
    1. Authorization

      When a user requests to play a video on a mobile application or web page, the request is first sent to your API or backend page. You can configure permission control to manage content. For example, you can require users to log on before they can play the video. We recommend that you configure HTTPS for your added domain name. If the playback request is authorized, the AccessKey pair of the RAM user is used to access ApsaraVideo VOD and obtain a playback credential. Then, the playback credential is sent to the mobile application or web page.

    2. Obtain the playback URL

      The mobile application or web page sends the playback credential and media ID to ApsaraVideo Player. ApsaraVideo Player SDK proceeds with the following operations:

      • Obtain the playback URL in the specific video format and definition from ApsaraVideo VOD based on the media ID.
      • Obtain the encryption key of the encrypted video.
    3. Decryption and playback

      ApsaraVideo VOD provides the secure kernel SDK, which uses the encryption key to decrypt and play the video.

Important Videos that are encrypted by using Alibaba Cloud proprietary cryptography can be exported only as the HLS format, and decrypted and played only by using ApsaraVideo Player provided by ApsaraVideo VOD.

Access method


  1. ApsaraVideo VOD is activated.

  2. Add a domain name for CDN

  3. A CNAME record is bound to the domain name for CDN that is added to ApsaraVideo VOD. For more information, see Configure a CNAME record in Alibaba Cloud DNS.

Access process:

  1. Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > Transcoding Template Groups. On the Transcoding Template Groups page, click Create Transcoding Template Group. For more information, see Configure normal transcoding template groups.
    • In the Normal Transcoding Template section, click Add Template. In the Basic Parameters section, set Encapsulation Format to hls.
    • In the Video Packaging Template section, click Add Template. On the Video Packaging Template page, turn on Video Encryption in the Advanced Parameters section.
  2. Video upload

    To upload a video to ApsaraVideo VOD, you can use an SDK, an API, the ApsaraVideo VOD console, or an Object Storage Service (OSS) tool. For more information, see Overview.

  3. Transcode a video.

    After the video is uploaded, the video is transcoded. The transcoded video is marked as Normal and is available for playback. For more information, see Configure normal transcoding template groups.

  4. Play an encrypted video.

    ApsaraVideo VOD provides player SDKs that can be integrated on multiple platforms, which include iOS, Android, and Web (HTML5 and Flash). You can use the required player SDK to play videos encrypted by using Alibaba Cloud proprietary cryptography on your application or website. Videos encrypted by using Alibaba Cloud proprietary cryptography cannot be played by ApsaraVideo Player for Web on iOS devices. In this scenario, we recommend that you use HLS encryption to encrypt videos. For more information, see HLS encryption and Play a video that is encrypted by using Alibaba Cloud proprietary cryptography.

    Note To play encrypted videos by using playback credentials, you can call the API or SDK to obtain the value of the playauth parameter required by players. For more information, see GetVideoPlayAuth.
  5. Video-stream management
    After the video is encrypted and transcoded, the video is marked as Encrypt in the playback information. For more information, see Basic structures. The video is also marked as Alibaba Cloud Proprietary Cryptography in the console to facilitate content management in multiple ways. Alibaba Cloud proprietary cryptography

Solution enhancement

If users want to download videos for offline playback, we recommend that you set the Download Mode parameter to Encrypted to protect your videos. For more information, see Configure offline download. This option uses a key to perform secondary encryption on video files. After a video is downloaded, ApsaraVideo Player SDK decrypts the video and allows the video to be played only by the specified application. This way, the copyright of offline videos is protected.