After you enable M3U8 encryption and rewrite, Alibaba Cloud CDN can rewrite M3U8 files that are transmitted over HTTP Live Streaming (HLS). After an M3U8 file is rewritten, encryption parameters are appended to the #EXT-X-KEY tag of the file. The encryption parameters include the encryption algorithm, key URI, and authentication parameters. After a client receives an M3U8 file that is rewritten by Alibaba Cloud CDN, the client uses the key URI that carries authentication parameters to initiate a request. The request retrieves the key from the CDN edge node. Then, the client uses the encryption algorithm and key to decrypt transport stream (TS) files. M3U8 encryption and rewrite can encrypt HLS data transmission.

Go to the section that you are interested in:

Background information

HLS is an HTTP-based adaptive bitrate streaming communications protocol developed by Apple Inc. HLS is based on HTTP. Clients download files from servers over HTTP in order. HLS specifies that video files are encapsulated in TS format. Apart from the TS video file, HLS also specifies the M3U8 file that controls playback. HLS splits a video stream into several TS video files for transmission. At the start of a streaming media session, the client first downloads an M3U8 file that contains TS file URLs, which functions as a media playlist. Then, the client uses the URLs to download TS files.

HLS basic fields:
  • #EXTM3U: the M3U8 file header, which must be placed in the first line.
  • EXT-X-MEDIA-SEQUENC: the serial number of the first TL file. In most cases, this serial number is 0. In live streaming scenarios, this serial number marks the start position of the streaming segment. Example: #EXT-X-MEDIA-SEQUENCE:0.
  • #EXT-X-TARGETDURATION: the maximum length of each TS file. For example, #EXT-X-TARGETDURATION:10 specifies that each TS file can be 10 seconds in length.
  • #EXT-X-ALLOW-CACHE: specifies whether the file can be cached. Valid values: #EXT-X-ALLOW-CACHE:YES and #EXT-X-ALLOW-CACHE:NO. In most cases, the value is set to YES.
  • #EXT-X-ENDLIST: the terminator of the M3U8 file.
  • #EXTINF: contains information about the TS files, such as the length and bandwidth. In most cases, the parameter is set in the #EXTINF:<duration>,[<title>] format. You can append other information to the value. The value before the comma (,) specifies the length of the current TS file. The length of a TS file must be smaller than the value of #EXT-X-TARGETDURATIO.
  • #EXT-X-VERSION: the version number of M3U8.
  • #EXT-X-DISCONTINUITY: specifies that two consecutive TS files are interrupted.
  • #EXT-X-PLAYLIST-TYP: the type of the streaming media.
  • #EXT-X-KEY: specifies whether to encrypt and parse data. For example, #EXT-X-KEY:METHOD=AES-128,URI="" specifies that the encryption algorithm is AES-128. Clients can send requests to to acquire the key. The key is stored on the on-premises machine for decrypting TS files.

How it works

  1. A client sends a request to a CDN edge node for an M3U8 file, sch as
  2. The edge node verifies the request. The request passes the verification.
  3. The edge node downloads the M3U8 file from the origin server and caches the M3U8 file.
  4. The edge node rewrites the #EXT-X-KEY tag of the M3U8 file and appends the encryption algorithm, key URI, and authentication parameters to the tag, such as #EXT-X-KEY:METHOD=AES-128,URI="".
  5. The edge node sends the rewritten M3U8 file to the client.
  6. The client receives and parses the M3U8 file and acquires the key URI Then, the client sends a request to the URI.
  7. The edge node receives and verifies the request, and sends the key file to the client.
  8. The client continues parsing the M3U8 file and downloads TS files from the edge node.
  9. The client uses the key in the key file and the encryption algorithm specified by #EXT-X-KEY to decrypt downloaded TS files.


HLS uses M3U8 files to provide clients with media playlists. After a client receives an M3U8 file, the client can start video playback. To protect video files on origin servers from unauthorized access, Alibaba Cloud CDN must encrypt the TS files that are transmitted over HLS, and inform the clients of the decryption method. To implement this type of encryption, Alibaba Cloud CDN supports the M3U8 encryption and rewrite feature. This feature uses the #EXT-X-KEY tag to inform clients of the encryption algorithm, key URI, and authentication key.


  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click Video.
  5. In the M3U8 Encryption and Rewrite section, turn on M3U8 Encryption and Rewrite.
    Turn on M3U8 Encryption and Rewrite
    Note After you turn on M3U8 Encryption and Rewrite, the parameter name MtsHlsUriToken is used by default.
  6. Optional:If you want to use a custom parameter name that is the same as that included in the client requests, perform the following steps:
    1. Click Modify next to the Custom Parameter Name field.
    2. In the Custom Parameter Name dialog box, set the Parameter Name parameter.
      Set the parameter name
      Note The parameter names are case-sensitive. Make sure that the specified parameter name is the same as that included in the client requests. For example, if the client requests include the foobar parameter name, the custom parameter name FooBar cannot take effect.
    3. Click OK.

Configuration examples

Log on to the Alibaba Cloud CDN console, turn on M3U8 Encryption and Rewrite, and then set the custom parameter name to foobar. The following figure shows the custom parameter name. Example 1
A client request contains the foobar parameter. The parameter value is yyyy. To decrypt the M3U8 file, Alibaba Cloud CDN appendsfoobar=yyyy to the #EXT-X-KEY tag, as shown in the following figure. Example 2