How does hls encryption work

For example, if you want to protect all of the streams in an adaptive group defined in the SMIL file sample. In this case, all of the streams in the adaptive group will be encrypted with the same key. Similar to the key files that are described in the previous section, you can protect HLS streams by passing key data to a Wowza Streaming Engine server through the server-side API.

You can do this in Wowza Streaming Engine Manager or by using a text editor. The following methods, when added to a server-side module, are called each time a live or on-demand HLS chunk is created, giving you the opportunity to control how that chunk is encrypted:. The encInfo variable holds the current encryption information for a given stream and is used to control stream encryption. It's also used to rotate keys as needed, if supported by the encryption method that you're using.

The following code examples show how to set encryption for each of the encryption methods:. Wowza Streaming Engine doesn't include key server delivery features. It has some basic features for AES key delivery; however, these features are provided only for convenience. The following options are available for key delivery. Contact sales wowza. If you need immediate help for an urgent issue, open a support ticket to get help from one of our technical support engineers.

You must have a valid Maintenance and Support contract to get technical support. All rights reserved. Terms Privacy Trademarks Legal. Wowza Streaming Engine. Wowza Streaming Cloud. Wowza ClearCaster. Wowza GoCoder app. Wowza Player. Wowza workflows. API lifecycle management. Start building. General examples. Connect a source. Configure streams and transcoders. VOD streams. File streams. Record streams. Stream playback. Manage security. Digital rights management.

Use metadata. Adaptive bitrate streaming allows automatic selection of the best suited video stream depending of the end visitors device and internet speed available. HLS video encryption adds an extra layer of protection when it is used for streaming videos, making it very difficult for end visitors to save the video to their device. During the video transcoding process, video is encrypted with special key belonging to the owner of a video. HLS video encryption acts as a DRM solution by exchanging and checking the encryption keys before video is played.

It is one of the best methods for securing your videos for online delivery and is the perfect solution for site owners with protected paid video content like online courses, classes, tutorials, etc. If HLS Video Encryption is enabled for selected video, Publitio will auto-create master m3u8 list file containing info for all the other possible video stream formats p, p, p, p. In this instance, all the segments are encrypted with the same key.

It can be beneficial to periodically change the encryption keys to minimise the impact if a particular key is exposed. This is known as key rotation, and the amount of time between successive key generations is referred to as the key rotation period. When enabled, the key info file will be checked periodically. If the file has changed, segments will then be encrypted with the new encryption key. However, we still need to come up with a way of generating new keys and updating the key info file.

The script uses the same values as before for the base URL for each key and key info file. It generates a new encryption key every 15 seconds, updating the key info file accordingly.

In practice you would choose a much longer key rotation period. To test it, run ffmpeg again but this time enable key rotation. At the same time, open a new terminal and run the script from the same directory. The script will run forever until you terminate it. When ffmpeg has finished, terminate the script.

Take a look at the playlist. You should now see a number of different key entries in the playlist. All the segments that follow a key tag EXT-X-KEY are now encrypted using the key specified by the tag, instead of using one key to encrypt all segments like before.

Hi Simon, Your post is great. I am new to HLS and your site is really helpful. I have a question. How can I use mediafilesegmenter to encrypt every segment of the file with different key?

You can use the -key-rotation-period option of mediafilesegmenter. It takes as an argument a number that specifies how many segments to encrypt before generating a new key. If you want to encrypt every segment with a different key then I guess you will need to set it to 1. I am new to HLS AES encryption can i get the example of the above procedure in the book meaning a video file taken and encryption explained in step by step fashion including openssl and ffmpeg.

Hi Simon, I hope this thread is still active. But one basic question- how do I direct the all the encrypted HLS chunks to a separate folder? In your script they just end up in the folder where I ran the script, so its a little messy.

Many thanks. You can specify a relative or absolute path to the HLS segments. The following example will output the segments in a directory relative to the location where you run the command:.

Make sure the directory you are writing the segments to exists. Take a look at the available options for more information.

Hey Simon, great post. Is this possible? Any thoughts, on how to achieve this? Even though the reference to the key is embedded in an HLS playlist, you can protect access to it.

You can use something like basic authentication, which requires a username and password, or use client certificates and enable TLS client authentication to restrict access. The HLS encrypted chunks are stored on a protected server, and the embedded HLS player accesses the keys from the path in the playlist. The keys are located on the same server that embeds the player, and viewers must be authenticated before accessing the player. To prevent just any site from accessing the key path, I have implemented CORS and only allowed the server where the player is embedded to access.

Is there a better, more secure way to restrict access to the keys than CORS? Again, the player and the key store folder are both on the same site- both are off of the site root folder. Thanks for any advice you can give me. You could try including some sort of authentication token in the playlist URL, e.

As the viewer is authenticated, you could tie the token to their identity. You would then check on the server if the token is valid or not.

If it is valid, you could then set a session cookie. Any subsequent requests to the server, e. An alternative approach to using a cookie could be to generate the playlist dynamically and include the token in the path to the encryption key.

Could you give some examples? I mean, does it work in Android and Windows based web browsers i. How authentication is implemented is not relevant in this example.