Encryption & DRM with Multiple Keys

Encryption with multiple keys allows you to encrypt different tracks in a stream with different keys, instead of using one key to encrypt all audio and video tracks. For example:

  • Encrypt audio with different key than video
  • Encrypt some audio or video tracks, but not all of them
  • Encrypt premium features with different key than standard features
  • Encrypt all tracks with separate keys for complete flexibility

One reason to use encryption with multiple keys is to support a setup where different tracks are associated with DRM licenses that have different requirements. Such a setup is possible using only one encryption key, but becomes more secure when using multiple keys so that each key is only associated with a particular license. The latter approach is recommended by all major DRM systems.

This page provides an overview with examples of how to use encryption and DRM with multiple keys using Unified Packager.

Note

If you want information about using DRM with multiple keys for Unified Origin, have a look at Using DRM with Multiple Keys.

Multiple keys ‘cenc’ CENC encryption for DASH with Widevine and PlayReady

How to encrypt your content according to the CENC ‘cenc’ encryption scheme and add the necessary signaling for DRM is shown in the example below. Which type of DRM specific information you need to signal depends on the DRM system(s) you are using.

Going forward, we recommend using the drm_specific_data option to specify the Protection Scheme Specific Header (PSSH) box. Although Unified Packager can synthesize this data, this is only true for basic implementations and not for DRM with multiple keys and other more advanced use cases:

#!/bin/bash

KID1=10000000100010001000100000000001
CEK1=(openssl rand 16)

KID2=20000000200020002000200000000002
CEK2=(openssl rand 16)

PR-PSSH=<PLAYREADY_PSSH> #Add your PlayReady DRM specific PSSH data (same for all tracks)
WV-PSSH=<WIDEVINE_PSSH> #Add your Widevine DRM specific PSSH data (same for all tracks)

mp4split --package_mpd -o tops-aac-128k-dash-cenc.cmfaa  \
  --cenc.key=${KID1}:${CEK1} \
  --iss.drm_specific_data=${PR-PSSH} \
  --widevine.drm_specific_data=${WV-PSSH} \
  tears-of-steel-aac-128k.mp4

mp4split --package_mpd -o tos-avc1-400k-dash-cenc.cmfv \
  --iss.key=${KID2}:${CEK2} \
  --iss.drm_specific_data=${PR-PSSH} \
  --widevine.drm_specific_data=${WV-PSSH} \
  tears-of-steel-avc1-400k.mp4

mp4split --package_mpd -o tos-avc1-1500k-dash-cenc.cmfv \
  --iss.key=${KID2}:${CEK2} \
  --iss.drm_specific_data=${PR-PSSH} \
  --widevine.drm_specific_data=${WV-PSSH} \
  tears-of-steel-avc1-1500k.mp4

Note

You can use the --widevine.drm_specific_data option to specify a Base64 blob, point to a binary file that holds the “protobuf” PSSH data, or specify the full PSSH box. It is recommended to do the latter. When specifying a full PSSH box, mp4split will change a v1 PSSH box into a v0 PSSH box for maximum comptability.

For details about obtaining valid Widevine PSSH or testing see Widevine DRM Encryption API and check out Widevine tools.

When you have packaged and encrypted the content, creating the MPD is very straightforward. Content protection signaling is automatically added to the MPD based on the protection information stored in the media files. When PlayReady or Widevine information is present, then these schemes are added to the MPD. Marlin has no explicit signaling in the media files, and is always added to the MPD:

#!/bin/bash

mp4split --package_mpd -o tears-of-steel-cenc.mpd \
  tos-aac-128k-dash-cenc.cmfa \
  tos-avc1-400k-dash-cenc.cmfv \
  tos-avc1-1500k-dash-cenc.cmfv

Note

For more information about packaging DASH, check Packaging for MPEG-DASH.

Multiple keys ‘cbcs’ CENC encryption for fMP4 HLS

For fMP4 HLS you need to encrypt your content according to the CENC ‘cbcs’ encryption scheme. To do so, you add the following parameters to your command-line when packaging your content to CMAF (the keys below are meant as an example only).

--cenc.key=10000000100010001000100000000001:3a2a1b68dd2bd9b2eeb25e84c4776668 \
--cenc.key_iv=f9d9d5f5f3b5bc0372856df068f9f6a2 \
--scheme_type=cbcs

If you want to use different keys for different tracks (i.e., encryption with multiple keys) you simply signal add different keys on the command-line when packaging each of the tracks:

#!/bin/bash

KID1=10000000100010001000100000000001
KIV1=(openssl rand -hex 16)
CEK1=(openssl rand -hex 16)

KID2=20000000200020002000200000000002
KIV2=(openssl rand 16)
CEK2=(openssl rand 16)

# Store binary representation of each key in a file (used in next step)
echo ${CEK1} | xxd -p -r > cek1.key
echo ${CEK2} | xxd -p -r > cek2.key

mp4split -o tos-6000ms-128k-cbcs.cmfa \
  --fragment_duration=6000 \
  --cenc.key=${KID1}:${CEK1} \
  --cenc.key_iv=${KIV1} \
  --scheme_type=cbcs \
  tears-of-steel-aac-128k.mp4

mp4split -o tos-6000ms-1500k-cbcs.cmfv \
  --fragment_duration=6000 \
  --cenc.key=${KID2}:${CEK2} \
  --cenc.key_iv=${KIV2} \
  --scheme_type=cbcs \
  tears-of-steel-avc1-1500k.mp4

To add the necessary signaling of the relevant key to the Media Playlist of each track, make use of the --encrypt_key_url option to specify the link to the file that contains the encryption key of the track that you are creating the playlist for:

For example:

#!/bin/bash

mp4split -o tos-128k-fmp4-cbcs.m3u8 \
  --encrypt_key_url=cek1.key \
  tos-6000ms-128k-cbcs.cmfa

mp4split -o tos-1500k-fmp4-cbcs.m3u8 \
  --encrypt_key_url=cek2.key \
  tos-6000ms-1500k-cbcs.cmfv

Then, with all the Media Playlists in place, you generate the I-frame Playlists and Master Playlist as you normally would.

Note

For more information about packaging fMP4 HLS, check Packaging HTTP Live Streaming with fragmented MP4 (fMP4 HLS).

Adding FairPlay DRM

When you want to use FairPlay DRM, you have to set the --encrypt_key_url to signal the URL of your FairPlay licensing server. Additionally, you have to add the option --key_format="com.apple.streamingkeydelivery" when generating your Media Playlists.

#!/bin/bash

KID1=10000000100010001000100000000001
KID2=20000000200020002000200000000002

mp4split -o tos-128k-fmp4-fp.m3u8 \
  --encrypt_key_url=skd://${KID1} \
  --key_format="com.apple.streamingkeydelivery" \
  tos-6000ms-128k-cbcs.cmfa

mp4split -o tos-1500k-fmp4-fp.m3u8 \
  --encrypt_key_url=skd://${KID2} \
  --key_format="com.apple.streamingkeydelivery" \
  tos-6000ms-1500k-cbcs.cmfv

Then, with all the Media Playlists in place, you generate the I-frame Playlists and Master Playlist as you normally would.

Multiple keys encryption for HLS TS with SAMPLE-AES

Below you find an example of how to use SAMPLE-AES encryption with multiple keys for HLS TS. As the first step, you will have to create as many 128-bit CEKs as you will need (2, in the below example). In this case, the CEK is just a file with 16 random bytes. It is possible to use ‘openssl’ to create the key:

#!/bin/bash

openssl rand 16 > cek1.key
openssl rand 16 > cek2.key

After you have created the keys, you can use them to encrypt the tracks that you want to encrypt. Below, the audio track is encrypted with the first CEK, while the video track is encrypted with the second CEK:

#!/bin/bash

mp4split --package_hls -o presentation_a1/prog_index.m3u8 \
  --fragment_duration=6000 \
  --encrypt_key_file=cek1.key \
  --encrypt_key_url=../cek1.key \
  --stream_encrypt \
  --base_media_file=a2_ \
  tears-of-steel-aac-128k.mp4

mp4split --package_hls -o presentation_v2/prog_index.m3u8 \
  --fragment_duration=6000 \
  --encrypt_key_file=cek2.key \
  --encrypt_key_url=../cek2.key \
  --stream_encrypt \
  --base_media_file=v1_ \
  tears-of-steel-avc1-1500k.mp4

After you have packaged your content as HLS TS, you can create the necessary Master Playlist like you normally would:

#!/bin/bash

mp4split --package_hls -o presentation.m3u8 \
  presentation_a1/prog_index.m3u8 \
  presentation_v1/prog_index.m3u8 \
  presentation_v1/iframe_index.m3u8

Note

For more information about packaging HLS TS, check Packaging HTTP Live Streaming (HLS) with TS.

Multiple keys encryption for HLS TS with Apple FairPlay

If you want to use DRM with multiple keys for HLS TS with FairPlay, you will have to create separates files with all the keys first. Each file must contain both a 128-bit CEK and a 128-bit key IV. This is simply a file with 32 random bytes, where the first 16 bytes represent the CEK and the remaining 16 bytes represent the key IV. It is possible to use ‘openssl’ to create these files:

#!/bin/bash

openssl rand 32 > cek1-kiv1.key
openssl rand 32 > cek2-kiv2.key

The command-lines to package HLS TS with MP4 as input are the same as in the above example, although we need to add specific signaling for FairPlay protection (i.e., --streaming-key-delivery).

The mp4split command is:

#!/bin/bash

# Example that packages an audio track with the first set of CEK and Key IV
mp4split --package_hls -o presentation_a1/prog_index.m3u8 \
  --fragment_duration=6000 \
  --encrypt_key_file=cek1-kiv1.key \
  --encrypt_key_url=../cek1-kiv1.key \
  --stream_encrypt \
  --streaming_key_delivery \
  --base_media_file=a1_ \
  tears-of-steel-aac-128k.mp4

# Example that packages a video track with the second set of CEK and Key IV
mp4split --package_hls -o presentation_v1/prog_index.m3u8 \
  --fragment_duration=6000 \
  --encrypt_key_file=cek2-kiv2.key \
  --encrypt_key_url=../cek2-kiv2.key \
  --stream_encrypt \
  --streaming_key_delivery \
  --base_media_file=v1_ \
  tears-of-steel-avc1-1500k.mp4

Creating the Master Playlist is identical to the previous example.

Please note that within FairPlay the encrypt-key-url is only for information, a client typically implements different means of locating the license server and fetch keys.