Using DRM with Key Rotation (HLS TS Only)


New in version 1.9.3.

DRM with key rotation allows you to rotate over time the key that content is encrypted with. This can enhance security and allows for more flexibility. For example, it allows you to leave a lead in the clear, or to associate different programs in a stream with different keys.

Encrypting different programs with different keys is helpful when you intend to associate different programs with DRM licenses that contain different requirements. For example: decryption of some programs will only be allowed based on whether the end-user has a premium membership, or is paying extra to watch live sports, while others only require a regular subscription.

Another use case is to rotate the encryption key at a set interval to increase content security.


This feature is only supported for HLS TS and not for fMP4 HLS or for DASH.

Requirement: Content Protection Information eXchange (CPIX)

To use DRM with key rotation it is required to define your content protection configuration using a separate XML-file called a CPIX document; see CPIX encryption options, Introduction to CPIX and CPIX Document Requirements.

Workflow with key rotation for Unified Origin

For a VOD workflow that uses DRM with key rotation, a static CPIX document suffices to specify the content protection information. However, when adding key rotation to a Live workflow you will need a CPIX origin that can dynamically generate CPIX documents based on a given time-range.

CPIX documents for key rotation use cases contain a <ContentKeyPeriod> element [1] that defines the time period for which a specific content key is valid.

When not only rotating keys over time, but also using different keys for different tracks [2], setting up a CPIX origin that will dynamically provide the necessary CPIX documents is complicated.

Overall, the workflow is:

  • Define business logic for content protection

  • Acquire keys, Protection System Specific Header (PSSH) data and playout format specific signaling

  • Provide a CPIX document

    • Ideally: supplied by the DRM system as part of the previous step (key acquisition)

    • Otherwise: create the CPIX document yourself

  • Use the CPIX document as input to generate a stream protected with multiple keys, by using one of the CPIX encryption options to specify the location of the CPIX document when creating the server manifest.

Defining business logic for content protection

The business logic of your content protection is dependent on the business model of your streaming service, on requirements put forward by the copyright holders of the content that you are streaming, and on the options supported by the individual components of your video streaming setup, such as Unified Origin, the DRM provider that you use, and the playout devices that you want to offer your streaming service on.

One use case of key rotation is to automatically change the key that is used to encrypt a livestream after a certain period of time. Such a setup enhances the overall protection of the stream. For example, if an end-user was somehow able to extract the encryption key that was used during one period of the stream, this information would be useless for the next period, as that would use a different encryption key.

Another use case is to enable more granularity in the content protection of your stream, by associating different time periods (e.g., different programs) with different DRM licenses, as these licenses define the different contexts in which playout of the specified content is allowed and different licenses are generally associated with different encryption keys.

For example, if you want to require a premium subscription for playout of a movie that will streamed on a live channel, you will need to define this requirement in the DRM license that is associated with the period of time that the movie will be streamed (e.g., between 20-22h).

Supported key rotation DRMs (HLS TS only)

  • AES-128

  • Sample-AES

  • Apple Fairplay

Key rotation for Live with CPIX origin

Because a Live presentation does not necessarily have an ending, it is often impossible to create a CPIX document that covers the entire presentation. In these cases the configuration of the live DVR window [3] is important, as it is the available window the player can request. A CPIX origin can be implemented that can provide dynamic CPIX documents based on a given time span.

CPIX origin

When the player requests a manifest or media segment for a specific playout format, Unified Origin creates a time span for the CPIX document request (if the stream's configuration specifies a CPIX document for content protection). The time span that Origin adds to the request is denoted by the URL query arguments start and end, which are in ISO 8601 time format.

The request from the Unified Origin to the CPIX origin may look like:


Workflow example

The following is a workflow example of a player playing back HLS with key rotation. In general, it will start with a player that requests the Master Playlist for a stream, after which the player will request one or more Media Playlists that are referenced in the Master Playlist. Finally, the player will start requesting the media segments that are referenced in the Media Playlists.

Request for Master Playlist

For the HLS Master Playlist, the sequence after is has been requested by the player looks as follows:


Unified Origin

CPIX Origin

GET 'master.m3u8'

GET 'keyrotation.cpix'

Create 'keyrotation.cpix'

Create 'master.m3u8'

Origin does not append start & end time span for the Master Playlist. For key rotation, the #EXT-X-SESSION-KEY tag is not added to the Master Playlist either. All key information is found in the Media Playlists.

Request for Media Playlist

When a player requests a Media Playlist the sequence looks as follows, where the query arguments start & end are the time span of the requested Media Playlist:


Unified Origin

CPIX Origin

GET 'media.m3u8'

GET 'keyrotation.cpix?start&end'

Create 'keyrotation.cpix'

Create 'media.m3u8'

Request for media segment

When a player requests a media segment the sequence looks as follows, where the query arguments start & end are the time span of the requested media segment:


Unified Origin

CPIX Origin

GET 'fragment-n.ts'

GET 'keyrotation.cpix?start&end'

Create 'keyrotation.cpix'

Package 'fragment-n.ts'

Aligning keys to segments

The following example shows how keys and segments may overlap with time spans:


       segment 1             segment 2             segment 3             segment 4

                  key 1                                     key 2

In the above example, 2 keys are associated with the time span of segment 2. In such a case (where multiple keys match the timespan of a segment), the first key is used to encrypt the entire segment.


Aligning keys to the start of a segment is not strictly required, it is however important that there are no gaps of keys.

Key rotation with Live 24/7 example

The following example represents a setup for a 24/7 Live presentation with a DVR window of 60 seconds. This means in this presentation, when the player requests a manifest, the time span request to the CPIX Origin will be no larger than 1 minute.


mp4split -o live.isml \
  --hls.cpix=http://cpix-origin/contentid/keyrotation.cpix \

The hls.cpix [4] URL points to the CPIX origin.

Key rotation with VOD example

The following example represents a key rotation setup for a VOD presentation with a where the CPIX document is static and stored on disk.


mp4split -o tears-of-steel.ism \
  --hls.cpix=keyrotation.cpix \
  tears-of-steel-aac-128k.mp4 \
  tears-of-steel-avc1-750k.mp4 \

You can download vod-keyrotation.cpix for an example CPIX document for a 13 minute VOD presentation with AES-128 DRM rotating keys every minute.