Trans DRM

If your content is stored encrypted on disk, then you may be limited in the available playouts. For example PIFF protected content is only compatible with HSS PlayReady (although it may be used for CENC and PIFF (Multi DRM)).

What if you also want to support playout to other formats as for instance HLS or HDS and/or different DRM systems?

The Unified Origin is capable of adding encryption on-the-fly for the various DRM systems. But for this to work the content needs to be in the clear. If your content is stored encrypted on disk, then the Origin is also capable of decrypting it on-the-fly. The decryption process is DRM agnostic. All the information needed for decrypting is the key id (KID) and content encryption key (CEK) pair used to encrypt the original content.

When the Origin is set up to decrypt and re-encrypt on-the-fly we call this trans DRM.

Options for trans DRM

--key

The KID and CEK are passed with the --key option where KID and CEK are separated by a colon, e.g. --key=KID:CEK.

Both KID and CEK must be coded in hex (base16).

The key id value as used here is a UUID formatted big-endian. If your key ids are GUIDs, you have to convert them first, for instance with python from GUID to hex (base16):

import base64, uuid
guid = 'd05d0e1f-5093-4e6b-bbbf-fd9effbba1a9'
print(base64.b16encode(uuid.UUID(bytes_le=uuid.UUID(guid).bytes).bytes))
>>> 1F0E5DD093506B4EBBBFFD9EFFBBA1A9

Which can be used as the key id.

To print it as UUID:

print(uuid.UUID('1F0E5DD093506B4EBBBFFD9EFFBBA1A9'))
>>> 1f0e5dd0-9350-6b4e-bbbf-fd9effbba1a9

Alternatively, you can use Dynamic Manifests for requesting the server manifest file from your CMS. The CMS then returns the key information and there is no need to store the key information on disk.

From HSS PlayReady to Clear

This is a simple setup that shows the first step in the process. We provide the key information for decrypting the streams and play out to all formats in the clear.

The video-pr.ismv file is a Smooth Streaming file. It was protected using PlayReady using the KID:CEK combination of 10000000100010001000100000000001:3A2A1B68DD2BD9B2EEB25E84C4776668.

KID=10000000100010001000100000000001
CEK=3A2A1B68DD2BD9B2EEB25E84C4776668
mp4split -o video.ism --key=${KID}:${CEK} video-pr.ismv

From HSS PlayReady to HLS (AES-128)

KID="YOUR KEY ID"
CEK="YOUR CONTENT KEY"

AES_CEK=`cat video.key | hexdump -e '16/1 "%02x"'`

# URL that resolves to video.key
AES_LA_URL=http://example.com/transdrm/video.key

mp4split -o example.ism --key=${KID}:${CEK} \
  --hls.content_key=${AES_CEK} \
  --hls.license_server_url=${AES_LA_URL} \
  example.ismv

This will create a server manifest that holds the information that USP needs to stream the encrypted file as HLS with AES-128 applied.

The AES-128 content encryption key in the above example can be created with for instance OpenSSL:

openssl rand 16 > video.key

From HSS PlayReady to HLS (SAMPLE-AES)

Using SAMPLE-AES is possible as well, you would need to follow the Adding SAMPLE-AES Encryption instructions to create the server manifest similar as above with AES-128.

From CPIX to CPIX

CPIX offers support for all major DRM systems and playout formats. CPIX can be used to both decrypt media on disk and re-encrypt with different keys. You need to combine CPIX encryption options and CPIX decryption option options for your manifest creation.

The first step of the example is using CPIX encryption options option to encrypt the source content from the decrypt.cpix file.

#!/bin/bash

mp4split -o enc-tears-of-steel-avc1-1500k.ismv \
  --cpix=decrypt.cpix \
  tears-of-steel-avc1-1500k.mp4
mp4split -o enc-tears-of-steel-avc1-750k.ismv \
  --cpix=decrypt.cpix \
  tears-of-steel-avc1-750k.mp4
mp4split -o enc-tears-of-steel-aac-128k.isma \
  --cpix=decrypt.cpix \
  tears-of-steel-aac-128k.mp4

All source content is now encrypted. The last step uses the same keys to decrypt the source content and using a new CPIX file to re-encrypt them. In this step, you also generate a server manifest for Unified Origin.

#!/bin/bash

mp4split -o tears-of-steel.ism \
--decrypt_cpix=decrypt.cpix \
--cpix=drm_encrypt.cpix \
enc-tears-of-steel-aac-128k.isma \
enc-tears-of-steel-avc1-750k.ismv \
enc-tears-of-steel-avc1-1500k.ismv

From CENC to CPIX

This is another way to use CPIX to encrypt your content. This example uses Common Encryption (CENC) to encrypt the content using --cenc.key option.

#!/bin/bash

kid=10000000100010001000100000000001
cek=3a2a1b68dd2bd9b2eeb25e84c4776668

mp4split -o enc-tears-of-steel-avc1-1500k.ismv \
  --cenc.key=${kid}:${cek} \
  tears-of-steel-avc1-1500k.mp4
mp4split -o enc-tears-of-steel-avc1-750k.ismv \
  --cenc.key=${kid}:${cek} \
  tears-of-steel-avc1-750k.mp4
mp4split -o enc-tears-of-steel-aac-128k.isma \
  --cenc.key=${kid}:${cek} \
  tears-of-steel-aac-128k.mp4

All the content is encrypted with the given keys. This final part shows how to use --key option to decrypt the content similar to the PlayReady examples above. Lastly, the --cpix option is used to re-encrypt the content. You may use this example CPIX file to re-encryption.

#!/bin/bash

mp4split -o tears-of-steel.ism \
--key=${kid}:${cek} \
--cpix=drm_encrypt.cpix \
enc-tears-of-steel-aac-128k.isma \
enc-tears-of-steel-avc1-750k.ismv \
enc-tears-of-steel-avc1-1500k.ismv