Alibaba Cloud video encryption

Updated at:
Copy as MD

Alibaba Cloud video encryption encrypts live streams during transcoding to prevent unauthorized redistribution in scenarios such as online education, industry training, and premium live events.

Note
  • Encryption supports only HTTP Live Streaming (HLS) and Flash Video (FLV) formats.

  • Encrypted videos require ApsaraVideo Player SDKs for playback. Third-party players cannot decrypt the content.

  • For HTML5 browser compatibility, refer to Browser compatibility.

How it works

Alibaba Cloud video encryption uses envelope encryption with KMS to secure live stream content. Downloaded files remain encrypted and unplayable without authorized decryption, preventing unauthorized redistribution and piracy. The process has two phases:

Encryption and transcoding (steps 1-3)

When a host ingests a live stream, ApsaraVideo Live:

  1. Requests a key pair (plaintext key and ciphertext key) from KMS.

  2. Uses the plaintext key to symmetrically encrypt the live stream during transcoding.

  3. Embeds the corresponding ciphertext key in the transcoded video output.

Decryption and playback (steps 4-11)

When a client plays the encrypted stream:

  1. The client requests a streaming URL from your AppServer.

  2. Using the URL, the client requests the live stream from ApsaraVideo Live, which returns the encrypted video containing the embedded ciphertext key.

  3. The client extracts the ciphertext key and sends it to ApsaraVideo Live to request the decryption key.

  4. ApsaraVideo Live uses the ciphertext key to retrieve the plaintext key from KMS, re-encrypts it, and returns the wrapped key to the client.

  5. ApsaraVideo Player SDK decrypts the wrapped key to obtain the plaintext key, then decrypts the live stream for playback.

    image

Key security features

Feature

Description

Per-file encryption keys

Each media file uses a dedicated key. A single key leak does not expose other files.

Envelope encryption

Plaintext keys exist only in memory during processing and are never stored persistently.

Permission management

Control access through RAM users and playback credentials.

Secure player SDKs

ApsaraVideo Live provides kernel-level player SDKs for secure decryption.

Configure encryption

Configure video encryption through a transcoding template using the console or an API.

Important

You must have a KMS key in the same region as your streaming domain. If you do not have one, create one in KMS by referring to Key management quickstart.

Method 1: Use the console

  1. Log on to the ApsaraVideo Live console.

  2. In the left navigation pane, choose Feature Management > Transcoding. Create or edit a transcoding template with encryption enabled.

For detailed steps of creating a transcoding template, see Use cases.

Method 2: Call an API operation

Call AddLiveStreamTranscode to create a default transcoding template, or AddCustomLiveStreamTranscode to create a custom transcoding template. Specify the EncryptParameters parameter with EncryptType set to aliyun.

Java SDK example:

The following example adds a default transcoding configuration with encryption enabled.

// This file is auto-generated, don't edit it. Thanks.
package demo;

import com.aliyun.auth.credentials.Credential;
import com.aliyun.auth.credentials.provider.StaticCredentialProvider;
import com.aliyun.core.http.HttpClient;
import com.aliyun.core.http.HttpMethod;
import com.aliyun.core.http.ProxyOptions;
import com.aliyun.httpcomponent.httpclient.ApacheAsyncHttpClientBuilder;
import com.aliyun.sdk.service.live20161101.models.*;
import com.aliyun.sdk.service.live20161101.*;
import com.google.gson.Gson;
import darabonba.core.RequestConfiguration;
import darabonba.core.client.ClientOverrideConfiguration;
import darabonba.core.utils.CommonUtil;
import darabonba.core.TeaPair;

//import javax.net.ssl.KeyManager;
//import javax.net.ssl.X509TrustManager;
import java.net.InetSocketAddress;
import java.time.Duration;
import java.util.*;
import java.util.concurrent.CompletableFuture;
import java.io.*;

public class AddLiveStreamTranscode {
    public static void main(String[] args) throws Exception {

        // HttpClient Configuration
        /*HttpClient httpClient = new ApacheAsyncHttpClientBuilder()
                .connectionTimeout(Duration.ofSeconds(10)) // Set the connection timeout time, the default is 10 seconds
                .responseTimeout(Duration.ofSeconds(10)) // Set the response timeout time, the default is 20 seconds
                .maxConnections(128) // Set the connection pool size
                .maxIdleTimeOut(Duration.ofSeconds(50)) // Set the connection pool timeout, the default is 30 seconds
                // Configure the proxy
                .proxy(new ProxyOptions(ProxyOptions.Type.HTTP, new InetSocketAddress("<YOUR-PROXY-HOSTNAME>", 9001))
                        .setCredentials("<YOUR-PROXY-USERNAME>", "<YOUR-PROXY-PASSWORD>"))
                // If it is an https connection, you need to configure the certificate, or ignore the certificate(.ignoreSSL(true))
                .x509TrustManagers(new X509TrustManager[]{})
                .keyManagers(new KeyManager[]{})
                .ignoreSSL(false)
                .build();*/

        // Configure Credentials authentication information, including ak, secret, token
        StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder()
                // Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set.
                .accessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
                .accessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
                //.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token
                .build());

        // Configure the Client
        AsyncClient client = AsyncClient.builder()
                .region("<Your RegionId>") // Region ID
                //.httpClient(httpClient) // Use the configured HttpClient, otherwise use the default HttpClient (Apache HttpClient)
                .credentialsProvider(provider)
                //.serviceConfiguration(Configuration.create()) // Service-level configuration
                // Client-level configuration rewrite, can set Endpoint, Http request parameters, etc.
                .overrideConfiguration(
                        ClientOverrideConfiguration.create()
                                  // The endpoint. Refer to https://api.alibabacloud.com/product/live
                                .setEndpointOverride("live.aliyuncs.com")
                        //.setConnectTimeout(Duration.ofSeconds(30))
                )
                .build();

        // Parameter settings for API request
        AddLiveStreamTranscodeRequest addLiveStreamTranscodeRequest = AddLiveStreamTranscodeRequest.builder()
                .regionId("<Your RegionId>")
                .domain("<Your Domain>")
                .app("<Your App Name>")
                .template("<Your Template>")
                .encryptParameters("<Your EncryptParameters>")
                // Request-level configuration rewrite, can set Http request parameters, etc.
                // .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders()))
                .build();

        // Asynchronously get the return value of the API request
        CompletableFuture<AddLiveStreamTranscodeResponse> response = client.addLiveStreamTranscode(addLiveStreamTranscodeRequest);
        // Synchronously get the return value of the API request
        AddLiveStreamTranscodeResponse resp = response.get();
        System.out.println(new Gson().toJson(resp));
        // Asynchronous processing of return values
        /*response.thenAccept(resp -> {
            System.out.println(new Gson().toJson(resp));
        }).exceptionally(throwable -> { // Handling exceptions
            System.out.println(throwable.getMessage());
            return null;
        });*/

        // Finally, close the client
        client.close();
    }

}

Replace these placeholders:

Placeholder

Description

Example

<your-region-id>

Region where your streaming domain resides

cn-shanghai

<your-streaming-domain>

Your streaming domain name

live.example.com

<your-app-name>

AppName of the live stream

liveApp

<your-template-name>

Transcoding template name

lld

<your-kms-key-id>

KMS key ID (must be in the same region)

1234abcd-12ab-34cd-56ef-1234567890ab

Note

After modifying a transcoding configuration, re-ingest the stream for changes to take effect.

For more information about the Java server SDK, see Get started with the SDK for Java.

Related APIs

API

Description

UpdateLiveStreamTranscode

Updates a default transcoding configuration.

UpdateCustomLiveStreamTranscode

Updates a custom transcoding configuration.

DescribeLiveStreamTranscodeInfo

Retrieves transcoding configurations of a streaming domain.

DeleteLiveStreamTranscode

Deletes a transcoding configuration.

References