Alibaba Cloud video encryption can encrypt live streams. This topic describes the benefits and architecture of Alibaba Cloud video encryption and how to use this service.

Background information

Users can pay a one-time fee for a live stream and download the video file from a legal streaming URL for which hotlink protection is configured. After the video file is downloaded, redistribution of the video file is uncontrollable. Therefore, hotlink protection is not enough to protect copyrights of live streams.


Alibaba Cloud video encryption encrypts video data. Video files that are downloaded to on-premises devices are encrypted. This prevents unauthorized redistribution. Video encryption can prevent video leakage and hotlinking. Video encryption can be applied to a wide range of online copyrighted video fields such as online education, finance, industry training, and premium TV shows.

Alibaba Cloud video encryption utilizes the Alibaba Cloud proprietary cryptography algorithm to provide a high level of security, and allows you to protect your video resources in a convenient, efficient, and secure manner.

  • Each media file has a dedicated encryption key. This way, if a single key is leaked, only the corresponding media file is exposed, whereas other media files are not affected.
  • ApsaraVideo Live provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.
  • ApsaraVideo Live uses ciphertext and plaintext keys to provide an envelope encryption system. The plaintext keys are not stored and are used only to process data in the memory.
  • ApsaraVideo Live provides secure player kernel SDKs.

Overall architecture

The Alibaba Cloud video encryption process consists of encrypted transcoding and playback after decryption.

  • Encrypted transcoding.

    After a live stream is pushed by a streamer to the live center, ApsaraVideo Live uses Key Management Service (KMS) to generate a plaintext key and a ciphertext key. ApsaraVideo Live uses the plaintext key to perform symmetric encryption on the audio and video of the live stream, and encapsulates the ciphertext key in the video.

  • Decryption and playback.

    To play the live stream, the playback terminal sends a playback request to AppServer to obtain the streaming URL. Then, the playback terminal uses the streaming URL to request the video stream from ApsaraVideo Live. ApsaraVideo Live transmits the transcoded and encrypted video and the ciphertext key to ApsaraVideo Player SDK.

    The playback terminal uses the ciphertext key to request the encrypted plaintext key from ApsaraVideo Live. Then, ApsaraVideo Live uses the ciphertext Key to request the plaintext key from KMS. The playback terminal transmits the decrypted plaintext key to ApsaraVideo Player SDK, which then decrypts and plays the video.

Use Alibaba Cloud video encryption

Create a key in the KMS console and configure the key ID in a transcoding template of ApsaraVideo Live. Then, use ApsaraVideo Player to decrypt and play encrypted live streams.

You cannot use Alibaba Cloud video encryption in the ApsaraVideo Live console. To use this service, you can call the AddLiveStreamTranscode operation to set the EncryptParameters parameter. Alternatively, submit a ticket.

  • Videos that are encrypted by using Alibaba Cloud video encryption can be exported only in the HTTP Live Streaming (HLS) format.
  • Videos that are encrypted by using Alibaba Cloud video encryption can be played only by ApsaraVideo Player.
  • Videos that are encrypted by using Alibaba Cloud video encryption cannot be played in browsers.
  • Alibaba Cloud video encryption needs to access KMS. Alibaba Cloud video encryption obtains the access permissions by using the AliyunServiceRoleForLiveKes role.