Alibaba Cloud video encryption encrypts live streams during transcoding to prevent unauthorized redistribution, ensuring content protection for use cases such as online education, industry training, and premium live events.
Encryption supports only HTTP Live Streaming (HLS) and Flash Video (FLV) formats.
Encrypted videos require ApsaraVideo Player SDKs for playback. Third-party players cannot decrypt the content.
For HTML5 browser compatibility, refer to Browser compatibility.
How it works
Alibaba Cloud video encryption uses envelope encryption with Key Management Service (KMS) to secure live stream content. Even if a video file is downloaded, it remains encrypted and cannot be played, preventing unauthorized redistribution and piracy. The process consists of two phases:
Encryption and transcoding (steps 1-3)
When a host ingests a live stream, ApsaraVideo Live:
Requests key pair (a plaintext key and a ciphertext key) from KMS.
Uses the plaintext key to symmetrically encrypt the live stream during transcoding.
Embeds the corresponding ciphertext key in the transcoded video output.
Decryption and playback (steps 4-11)
When a client needs to play the encrypted live stream:
The client requests a streaming URL from your AppServer.
Using the URL, the client requests the live stream from ApsaraVideo Live. The service returns the encrypted video, which contains the embedded ciphertext key.
The client extracts the ciphertext key and sends it to ApsaraVideo Live to request the decryption key.
ApsaraVideo Live uses this ciphertext key to retrieve the original plaintext key from KMS. It then re-encrypts the plaintext key and sends the wrapped key back to the client.
ApsaraVideo Player SDK decrypts the wrapped key to obtain the plaintext key and uses it to decrypt the live stream for playback.
Key security features
Feature | Description |
Per-file encryption keys | Each media file uses a dedicated key. A single key leak does not expose other files. |
Envelope encryption | Plaintext keys exist only in memory during processing and are never stored persistently. |
Permission management | Control access through RAM users and playback credentials. |
Secure player SDKs | ApsaraVideo Live provides kernel-level player SDKs for secure decryption. |
Configure encryption
Configure Alibaba Cloud video encryption through a transcoding template using either the console or an API operation.
You must a KMS key in the same region as your streaming domain. If you do not have one, create in KMS by referring to Get started with keys.
Method 1: Use the console
Log on to the ApsaraVideo Live console.
In the left navigation pane, choose Feature Management > Transcoding. Create or edit a transcoding template with encryption enabled.
For detailed steps of creating a transcoding template, see Live stream transcoding.
Method 2: Call an API operation
Call AddLiveStreamTranscode to create a default transcoding template, or AddCustomLiveStreamTranscode to create a custom transcoding template. Specify the EncryptParameters parameter with EncryptType set to aliyun.
Java SDK example:
The following example adds a default transcoding configuration with encryption enabled.
// This file is auto-generated, don't edit it. Thanks.
package demo;
import com.aliyun.auth.credentials.Credential;
import com.aliyun.auth.credentials.provider.StaticCredentialProvider;
import com.aliyun.core.http.HttpClient;
import com.aliyun.core.http.HttpMethod;
import com.aliyun.core.http.ProxyOptions;
import com.aliyun.httpcomponent.httpclient.ApacheAsyncHttpClientBuilder;
import com.aliyun.sdk.service.live20161101.models.*;
import com.aliyun.sdk.service.live20161101.*;
import com.google.gson.Gson;
import darabonba.core.RequestConfiguration;
import darabonba.core.client.ClientOverrideConfiguration;
import darabonba.core.utils.CommonUtil;
import darabonba.core.TeaPair;
//import javax.net.ssl.KeyManager;
//import javax.net.ssl.X509TrustManager;
import java.net.InetSocketAddress;
import java.time.Duration;
import java.util.*;
import java.util.concurrent.CompletableFuture;
import java.io.*;
public class AddLiveStreamTranscode {
public static void main(String[] args) throws Exception {
// HttpClient Configuration
/*HttpClient httpClient = new ApacheAsyncHttpClientBuilder()
.connectionTimeout(Duration.ofSeconds(10)) // Set the connection timeout time, the default is 10 seconds
.responseTimeout(Duration.ofSeconds(10)) // Set the response timeout time, the default is 20 seconds
.maxConnections(128) // Set the connection pool size
.maxIdleTimeOut(Duration.ofSeconds(50)) // Set the connection pool timeout, the default is 30 seconds
// Configure the proxy
.proxy(new ProxyOptions(ProxyOptions.Type.HTTP, new InetSocketAddress("<YOUR-PROXY-HOSTNAME>", 9001))
.setCredentials("<YOUR-PROXY-USERNAME>", "<YOUR-PROXY-PASSWORD>"))
// If it is an https connection, you need to configure the certificate, or ignore the certificate(.ignoreSSL(true))
.x509TrustManagers(new X509TrustManager[]{})
.keyManagers(new KeyManager[]{})
.ignoreSSL(false)
.build();*/
// Configure Credentials authentication information, including ak, secret, token
StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder()
// Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set.
.accessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
.accessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
//.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token
.build());
// Configure the Client
AsyncClient client = AsyncClient.builder()
.region("<Your RegionId>") // Region ID
//.httpClient(httpClient) // Use the configured HttpClient, otherwise use the default HttpClient (Apache HttpClient)
.credentialsProvider(provider)
//.serviceConfiguration(Configuration.create()) // Service-level configuration
// Client-level configuration rewrite, can set Endpoint, Http request parameters, etc.
.overrideConfiguration(
ClientOverrideConfiguration.create()
// The endpoint. Refer to https://api.alibabacloud.com/product/live
.setEndpointOverride("live.aliyuncs.com")
//.setConnectTimeout(Duration.ofSeconds(30))
)
.build();
// Parameter settings for API request
AddLiveStreamTranscodeRequest addLiveStreamTranscodeRequest = AddLiveStreamTranscodeRequest.builder()
.regionId("<Your RegionId>")
.domain("<Your Domain>")
.app("<Your App Name>")
.template("<Your Template>")
.encryptParameters("<Your EncryptParameters>")
// Request-level configuration rewrite, can set Http request parameters, etc.
// .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders()))
.build();
// Asynchronously get the return value of the API request
CompletableFuture<AddLiveStreamTranscodeResponse> response = client.addLiveStreamTranscode(addLiveStreamTranscodeRequest);
// Synchronously get the return value of the API request
AddLiveStreamTranscodeResponse resp = response.get();
System.out.println(new Gson().toJson(resp));
// Asynchronous processing of return values
/*response.thenAccept(resp -> {
System.out.println(new Gson().toJson(resp));
}).exceptionally(throwable -> { // Handling exceptions
System.out.println(throwable.getMessage());
return null;
});*/
// Finally, close the client
client.close();
}
}Replace the following placeholders with your actual values:
Placeholder | Description | Example |
| Region where your streaming domain resides |
|
| Your streaming domain name |
|
| AppName of the live stream |
|
| Transcoding template name |
|
| KMS key ID (must be in the same region) |
|
After you modify a transcoding configuration, re-ingest the stream for the changes to take effect.
For more information about the Java server SDK, see Use the server SDK for Java.
Related APIs
API | Description |
Updates a default transcoding configuration. | |
Updates a custom transcoding configuration. | |
Retrieves transcoding configurations of a streaming domain. | |
Deletes a transcoding configuration. |
References
When you enable video encryption, the
AliyunServiceRoleForLiveKesservice-linked role is automatically created to grant ApsaraVideo Live access to KMS. For details, see Manage service-linked role for video encryption.For an alternative encryption approach that supports standard DRM protocols, see DRM encryption.