Alibaba Cloud video encryption
Alibaba Cloud video encryption encrypts live streams during transcoding to prevent unauthorized redistribution in scenarios such as online education, industry training, and premium live events.
-
Encryption supports only HTTP Live Streaming (HLS) and Flash Video (FLV) formats.
-
Encrypted videos require ApsaraVideo Player SDKs for playback. Third-party players cannot decrypt the content.
-
For HTML5 browser compatibility, refer to Browser compatibility.
How it works
Alibaba Cloud video encryption uses envelope encryption with KMS to secure live stream content. Downloaded files remain encrypted and unplayable without authorized decryption, preventing unauthorized redistribution and piracy. The process has two phases:
Encryption and transcoding (steps 1-3)
When a host ingests a live stream, ApsaraVideo Live:
-
Requests a key pair (plaintext key and ciphertext key) from KMS.
-
Uses the plaintext key to symmetrically encrypt the live stream during transcoding.
-
Embeds the corresponding ciphertext key in the transcoded video output.
Decryption and playback (steps 4-11)
When a client plays the encrypted stream:
-
The client requests a streaming URL from your AppServer.
-
Using the URL, the client requests the live stream from ApsaraVideo Live, which returns the encrypted video containing the embedded ciphertext key.
-
The client extracts the ciphertext key and sends it to ApsaraVideo Live to request the decryption key.
-
ApsaraVideo Live uses the ciphertext key to retrieve the plaintext key from KMS, re-encrypts it, and returns the wrapped key to the client.
-
ApsaraVideo Player SDK decrypts the wrapped key to obtain the plaintext key, then decrypts the live stream for playback.
Key security features
|
Feature |
Description |
|
Per-file encryption keys |
Each media file uses a dedicated key. A single key leak does not expose other files. |
|
Envelope encryption |
Plaintext keys exist only in memory during processing and are never stored persistently. |
|
Permission management |
Control access through RAM users and playback credentials. |
|
Secure player SDKs |
ApsaraVideo Live provides kernel-level player SDKs for secure decryption. |
Configure encryption
Configure video encryption through a transcoding template using the console or an API.
You must have a KMS key in the same region as your streaming domain. If you do not have one, create one in KMS by referring to Key management quickstart.
Method 1: Use the console
-
Log on to the ApsaraVideo Live console.
-
In the left navigation pane, choose Feature Management > Transcoding. Create or edit a transcoding template with encryption enabled.
For detailed steps of creating a transcoding template, see Use cases.
Method 2: Call an API operation
Call AddLiveStreamTranscode to create a default transcoding template, or AddCustomLiveStreamTranscode to create a custom transcoding template. Specify the EncryptParameters parameter with EncryptType set to aliyun.
Java SDK example:
The following example adds a default transcoding configuration with encryption enabled.
// This file is auto-generated, don't edit it. Thanks.
package demo;
import com.aliyun.auth.credentials.Credential;
import com.aliyun.auth.credentials.provider.StaticCredentialProvider;
import com.aliyun.core.http.HttpClient;
import com.aliyun.core.http.HttpMethod;
import com.aliyun.core.http.ProxyOptions;
import com.aliyun.httpcomponent.httpclient.ApacheAsyncHttpClientBuilder;
import com.aliyun.sdk.service.live20161101.models.*;
import com.aliyun.sdk.service.live20161101.*;
import com.google.gson.Gson;
import darabonba.core.RequestConfiguration;
import darabonba.core.client.ClientOverrideConfiguration;
import darabonba.core.utils.CommonUtil;
import darabonba.core.TeaPair;
//import javax.net.ssl.KeyManager;
//import javax.net.ssl.X509TrustManager;
import java.net.InetSocketAddress;
import java.time.Duration;
import java.util.*;
import java.util.concurrent.CompletableFuture;
import java.io.*;
public class AddLiveStreamTranscode {
public static void main(String[] args) throws Exception {
// HttpClient Configuration
/*HttpClient httpClient = new ApacheAsyncHttpClientBuilder()
.connectionTimeout(Duration.ofSeconds(10)) // Set the connection timeout time, the default is 10 seconds
.responseTimeout(Duration.ofSeconds(10)) // Set the response timeout time, the default is 20 seconds
.maxConnections(128) // Set the connection pool size
.maxIdleTimeOut(Duration.ofSeconds(50)) // Set the connection pool timeout, the default is 30 seconds
// Configure the proxy
.proxy(new ProxyOptions(ProxyOptions.Type.HTTP, new InetSocketAddress("<YOUR-PROXY-HOSTNAME>", 9001))
.setCredentials("<YOUR-PROXY-USERNAME>", "<YOUR-PROXY-PASSWORD>"))
// If it is an https connection, you need to configure the certificate, or ignore the certificate(.ignoreSSL(true))
.x509TrustManagers(new X509TrustManager[]{})
.keyManagers(new KeyManager[]{})
.ignoreSSL(false)
.build();*/
// Configure Credentials authentication information, including ak, secret, token
StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder()
// Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set.
.accessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
.accessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
//.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token
.build());
// Configure the Client
AsyncClient client = AsyncClient.builder()
.region("<Your RegionId>") // Region ID
//.httpClient(httpClient) // Use the configured HttpClient, otherwise use the default HttpClient (Apache HttpClient)
.credentialsProvider(provider)
//.serviceConfiguration(Configuration.create()) // Service-level configuration
// Client-level configuration rewrite, can set Endpoint, Http request parameters, etc.
.overrideConfiguration(
ClientOverrideConfiguration.create()
// The endpoint. Refer to https://api.alibabacloud.com/product/live
.setEndpointOverride("live.aliyuncs.com")
//.setConnectTimeout(Duration.ofSeconds(30))
)
.build();
// Parameter settings for API request
AddLiveStreamTranscodeRequest addLiveStreamTranscodeRequest = AddLiveStreamTranscodeRequest.builder()
.regionId("<Your RegionId>")
.domain("<Your Domain>")
.app("<Your App Name>")
.template("<Your Template>")
.encryptParameters("<Your EncryptParameters>")
// Request-level configuration rewrite, can set Http request parameters, etc.
// .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders()))
.build();
// Asynchronously get the return value of the API request
CompletableFuture<AddLiveStreamTranscodeResponse> response = client.addLiveStreamTranscode(addLiveStreamTranscodeRequest);
// Synchronously get the return value of the API request
AddLiveStreamTranscodeResponse resp = response.get();
System.out.println(new Gson().toJson(resp));
// Asynchronous processing of return values
/*response.thenAccept(resp -> {
System.out.println(new Gson().toJson(resp));
}).exceptionally(throwable -> { // Handling exceptions
System.out.println(throwable.getMessage());
return null;
});*/
// Finally, close the client
client.close();
}
}
Replace these placeholders:
|
Placeholder |
Description |
Example |
|
|
Region where your streaming domain resides |
|
|
|
Your streaming domain name |
|
|
|
AppName of the live stream |
|
|
|
Transcoding template name |
|
|
|
KMS key ID (must be in the same region) |
|
After modifying a transcoding configuration, re-ingest the stream for changes to take effect.
For more information about the Java server SDK, see Get started with the SDK for Java.
Related APIs
|
API |
Description |
|
Updates a default transcoding configuration. |
|
|
Updates a custom transcoding configuration. |
|
|
Retrieves transcoding configurations of a streaming domain. |
|
|
Deletes a transcoding configuration. |
References
-
Enabling video encryption automatically creates the
AliyunServiceRoleForLiveKesservice-linked role, which grants ApsaraVideo Live access to KMS. Manage service-linked role for video encryption. -
For an alternative encryption approach that supports standard DRM protocols, see DRM encryption.