How do I use a key that is generated?

The GenerateKMSDataKey operation returns a ciphertext key CiphertextBlob and a plaintext key Plaintext. You need to pass only the ciphertext key to ApsaraVideo VOD. You do not need to pass the plaintext key. For more information about the parameters that are passed, see EncryptConfig: specifies the configurations for HLS encryption in the SubmitTranscodeJobs topic.

  • We recommend that you cache the ciphertext key and the plaintext key that are generated.
  • After you create a service key, you cannot delete or update the service key. The service key is only used to generate encryption keys.

How do I pass a generated token to the decryption operation?

Before you rewrite a token to a decryption operation, you must use an Alibaba Cloud CDN domain name for playback. When an M3U8 address is requested, you must pass the MtsHlsUriToken parameter. The domain name automatically rewrites the MtsHlsUriToken parameter to the decryption operation and requests the decryption operation.

How do I quickly check whether an encrypted video can be played?

You can use Alibaba Cloud Player Diagnostic Platform to check whether an M3U8 file that is encrypted in HTTP Live Streaming (HLS) Encryption mode can be played. Copy the URL of the M3U8 file and the value of MtsHlsUriToken to Alibaba Cloud Player Diagnostic Platform to check whether the file can be decrypted and played. If no value is specified for MtsHlsUriToken, you do not need to copy the value.

Other FAQs

  • API error message

    If KeyNotFound is returned when the SubmitTranscodeJobs operation is called, contact ApsaraVideo VOD technical support to create a service key in the required region, such as China (Beijing) or China (Shanghai). The service key is used to generate encryption keys.

  • Unencrypted file

    If the generated file is unencrypted, check whether Video Encryption is enabled and Alibaba Cloud Proprietary Cryptography is selected.

  • Custom key

    Encryption and transcoding fail because a custom string is used to generate the encryption key. You must generate the plaintext key for encryption by calling the GenerateKMSDataKey operation. You cannot use a custom string to generate an encryption key.

  • Encryption failure

    If HLS encryption and transcoding fail and no encrypted file is generated, check whether the key that is generated by calling the GenerateKMSDataKey operation is of the AES_128 type.

  • Decryption failure

    If a video that is encrypted in HLS Encryption mode fails to be decrypted for playback, check whether the decryption operation uses Base64 to decode the plaintext key that is returned by the DecryptKMSDataKey operation of ApsaraVideo VOD before the decryption operation sends the key to the player. If the plaintext key is not decoded, the decryption fails.

  • Duplicate encrypted files

    Duplicate encrypted files are generated. In this case, check whether the SubmitTranscodeJobs operation is repeatedly called. HLS encryption and transcoding can be only manually started.