HLS encryption uses AES-128 and works with all HLS players. Combined with key management and a token service, it suits high-security scenarios such as online education and exclusive content streaming.
How it works
ApsaraVideo VOD uses envelope encryption. A service provider uses Alibaba Cloud Key Management Service (KMS) to generate a data key (DK) and an enveloped data key (EDK). The DK encrypts the video, and the EDK is stored alongside it. During playback, the client retrieves the DK from the decryption service to decrypt the video.
To secure the decryption URL, enable M3U8 encryption and rewrite, which adds another layer of protection to the HLS data access process. The default rewritten parameter is MtsHlsUriToken. To learn how to enable this feature and how it works, see M3U8 encryption and rewrite.
Prerequisites
-
HLS encryption is a free service. However, this feature requires video transcoding, which incurs fees. For pricing details, see Media transcoding billing.
-
You have activated ApsaraVideo VOD. For instructions, see Activate ApsaraVideo VOD.
-
You have authorized ApsaraVideo VOD to access your Key Management Service (KMS). You can grant the required permissions on the Cloud Resource Access Authorization page.
-
You have added an accelerated domain name in ApsaraVideo VOD. For instructions, see Add an accelerated domain name.
-
You have installed the required server-side SDK. For more information, see Server-side SDKs. This topic uses the SDK for Java as an example.
Encryption and decryption workflow
Upload and encryption workflow

Decryption and playback workflow
M3U8 rewrite enabled (Recommended)

M3U8 rewrite disabled

Encrypt a video
-
Upload your video and receive a callback.
To prevent videos that support HLS Encryption from being automatically transcoded, you must use the built-in No Transcoding template group when you upload the videos to ApsaraVideo VOD. This prevents automatic transcoding during the upload.
-
To upload a video by using the ApsaraVideo VOD console, see Upload files in the ApsaraVideo VOD console. To upload a video by using a server-side API, see Media upload.
-
Configure event notifications for ApsaraVideo VOD. A callback message for the Video upload completed event indicates that the video has been uploaded to ApsaraVideo VOD. For information about how to configure event notifications, see Event notifications.
-
-
Set up an encryption service.
-
Create a service key.
A service key is the primary encryption key in KMS and must be used to generate keys for HLS Encryption. If you do not create a service key, the GenerateKMSDataKey operation reports an error.
-
In the upper-left corner of the page, click the region ID to switch to the region where you want to create the service key.
NoteThe service key must be in the same region as your video's origin server. For example, if your video is stored in China (Shanghai), the service key must also be created in the China (Shanghai) region.
The available regions are China (Shanghai), China (Beijing), China (Shenzhen), Japan (Tokyo), Singapore, Indonesia (Jakarta), India (Mumbai), and Germany (Frankfurt).
-
Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > HLS Standard Encryption.
-
On the HLS Encryption page, click Create Service Key.
After the service key is created, a confirmation message appears. You can then view the key in the Key Information section.
NoteIf a success message appears but you cannot view the key, the cause may be a missing service-linked role. You can reauthorize ApsaraVideo VOD to restore the role and then refresh the page to view the service key.
-
-
Call an API operation to generate a data key (DK).
Call the GenerateKMSDataKey operation to generate a data key (DK) and an enveloped data key (EDK). You do not need to pass any parameters. After a successful call, the
Plaintextfield in the response contains the DK, and theCiphertextBlobfield contains the EDK in AES-128 format. Cache theCiphertextBlobvalue for the HLS Encryption transcoding job.
-
-
Create a transcoding template group for HLS Encryption.
The HLS Encryption process requires two transcoding template groups: the built-in No Transcoding template group and a custom transcoding template group for HLS Encryption. To create a custom transcoding template group, perform the following steps:
-
Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > Transcoding Template Groups.
-
On the Transcoding Template Groups page, create a transcoding template group for HLS Encryption.
Set Encapsulation Format to hls. In the Advanced Parameters section, enable Video Encryption and select the Alibaba Cloud Encryption option. Configure other parameters as required. For more information about the parameters, see Transcoding templates.
-
After the template group is created, find the new template group in the list on the Transcoding Template Groups page and record its ID. This template group ID is required for the encryption configuration.
-
-
Submit an HLS Encryption transcoding job.
-
Call the SubmitTranscodeJobs operation to submit an HLS Encryption transcoding job.
-
If you have configured event notifications, a callback message for the Single Definition Transcoding Complete or Transcode complete event indicates that the transcoding job is complete.
-
-
Verify the HLS Encryption result.
After the transcoding job is complete, use one of the following methods to verify the encryption.
-
Method 1: Log on to the ApsaraVideo VOD console. Go to the details page of the Audio/Video file and click the Video URL tab. In the video URL list, check the format column for an HLS Encryption tag on the M3U8 output file. The presence of this tag confirms that the encryption was successful.
-
Method 2: Copy the URL of the M3U8 file that has the HLS Standard Encryption tag. Run the
curl -v "URL of the M3U8 file"command to retrieve the M3U8 content. Check the content for the following key information:URI="<the decryption URI that you provided as the DecryptKeyUri parameter value>". If this information is present, the encryption was successful. -
Method 3: Call the GetTranscodeTask operation and pass the value of the
JobIdparameter that is returned in Step 4. The encryption is successful if the value ofTranscodeTemplateIdin the response matches the ID of the transcoding template group that you created in Step 3 andTranscodeJobStatusisTranscodeSuccess.
-
HLS (M3U8) encryption and rewrite (Recommended)
With M3U8 encryption and rewrite enabled, the system automatically adds encryption parameters, including the algorithm, key URI, and authentication parameters, to the #EXT-X-KEY tag in the HLS Media Playlist (M3U8 file). When a client parses the rewritten M3U8 file, it uses the key URI with authentication parameters to request the decryption key, then decrypts the transport stream (TS) segments with the specified algorithm.
Step 1: Enable parameter pass-through for HLS encryption
In the ApsaraVideo VOD console, enable Parameter Pass-through for HLS Encryption.
After you enable Parameter Pass-through for HLS Encryption, ApsaraVideo VOD rewrites the M3U8 file, modifying the URI in the #EXT-X-KEY tag by appending parameters from the client request. The default parameter name is MtsHlsUriToken.
Prerequisites
You have configured cross-origin resource sharing (CORS). For more information, see Configure cross-origin resource sharing.
This feature is not available in Alibaba Cloud Gov Cloud.
Procedure
-
Log on to the ApsaraVideo VOD console.
-
In the left-side navigation pane, click Configuration Management.
-
Click CDN Configuration > Domain Names to go to the Domain Names page.
-
Find the domain name that you want to manage and click configure in the Actions column.
-
On the domain's configuration page, click Video Related in the left-side navigation pane.
-
In the encrypted playback section, turn on the Parameter Pass-through for HLS Encryption switch. By default, this switch is turned off, and the parameter name is
MtsHlsUriToken.
-
After you enable this feature, ApsaraVideo VOD handles authentication by rewriting the token parameter. The rewritten parameter is
MtsHlsUriToken, and its value istest. During decrypted playback, the point of presence (POP) appendsMtsHlsUriToken=testto the URI in the#EXT-X-KEYtag of the M3U8 file.
Step 2: Send request with MtsHlsUriToken
To access the M3U8 file, the client sends a request that includes the MtsHlsUriToken parameter to a point of presence (POP).
You must build a token service to generate and issue the MtsHlsUriToken for users.
The following code generates the MtsHlsUriToken. You must modify the following parameters based on your business requirements:
Step 3: Decrypt and play the file
Upon receiving a request from the client, the point of presence (POP) authenticates it. If authentication is successful, the POP decrypts and plays the file.
If the MtsHlsUriToken parameter generated in Step 2 has a value of test, the POP appends MtsHlsUriToken=test to the URI in the #EXT-X-KEY tag of the M3U8 file during decrypted playback.
You must implement the authentication logic. For reference, see the decryption service sample code for M3U8 encryption and rewrite in Play videos.
Play video
With M3U8 rewrite (recommended)
-
Set up a decryption service.
Set up a local HTTP service to decrypt videos.
Call the DecryptKMSDataKey operation to decrypt the data key. The data key in the response,
PlainText, is the Base64-decoded version of thePlainTextvalue returned by the GenerateKMSDataKey operation.To add an extra layer of security by verifying decryption URLs, enable M3U8 encryption and rewrite. This feature adds a token to the key request URL. The default parameter name is
MtsHlsUriToken. Your decryption service implementation depends on whether this feature is enabled. -
Obtain the video playback URL or credential.
Call the GetVideoPlayAuth operation to obtain the playback credential, or call the GetPlayInfo operation to obtain the playback URL.
-
Play the encrypted video.
HLS standard encryption is compatible with all HLS players. You can use a self-developed player or ApsaraVideo Player to play the encrypted video.
If you use ApsaraVideo Player, obtain the token and authentication information as required to play the video. For more information, see Play an encrypted video. If you use a different player, implement the playback logic.
The following section describes the internal playback process of ApsaraVideo Player:
With M3U8 rewrite (recommended)
Without M3U8 rewrite
-
Set up a decryption service.
Set up a local HTTP service to decrypt videos.
Call the DecryptKMSDataKey operation to decrypt the data key. The data key in the response,
PlainText, is the Base64-decoded version of thePlainTextvalue returned by the GenerateKMSDataKey operation.For example:
-
Obtain the video playback URL or credential.
Call the GetVideoPlayAuth operation to obtain the playback credential, or call the GetPlayInfo operation to obtain the playback URL.
-
Play the encrypted video.
HLS standard encryption is compatible with all HLS players. You can use a self-developed player or ApsaraVideo Player to play the encrypted video.
If you use ApsaraVideo Player, obtain the token and authentication information as required to play the video. For more information, see Play an encrypted video. If you use a different player, implement the playback logic.
The following section describes the internal playback process of ApsaraVideo Player:
Without M3U8 rewrite