Trans DRM

If your content is stored encrypted on disk, then you may be limited in the available playouts. For example PIFF protected content is only compatible with HSS PlayReady (although it may be used for CENC and PIFF (Multi DRM)).

What if you also want to support playout to other formats as for instance HLS or HDS and/or different DRM systems?

The Unified Origin is capable of adding encryption on-the-fly for the various DRM systems. But for this to work the content needs to be in the clear. If your content is stored encrypted on disk, then the Origin is also capable of decrypting it on-the-fly. The decryption process is DRM agnostic. All the information needed for decrypting is the key id (KID) and content encryption key (CEK) pair used to encrypt the original content.

When the Origin is set up to decrypt and re-encrypt on-the-fly we call this trans DRM.

Options for trans DRM


The KID and CEK are passed with the --key option where KID and CEK are separated by a colon, e.g. --key=KID:CEK.

Both KID and CEK must be coded in hex (base16).

The key id value as used here is a UUID formatted big-endian. If your key ids are GUIDs, you have to convert them first, for instance with python from GUID to hex (base16):

import base64, uuid
guid = 'd05d0e1f-5093-4e6b-bbbf-fd9effbba1a9'

Which can be used as the key id.

To print it as UUID:

print uuid.UUID('1F0E5DD093506B4EBBBFFD9EFFBBA1A9')
>>> 1f0e5dd0-9350-6b4e-bbbf-fd9effbba1a9

Alternatively, you can use Dynamic Manifests for requesting the server manifest file from your CMS. The CMS then returns the key information and there is no need to store the key information on disk.

From HSS PlayReady to Clear

This is a simple setup that shows the first step in the process. We provide the key information for decrypting the streams and play out to all formats in the clear.

The video-pr.ismv file is a Smooth Streaming file. It was protected using PlayReady using the KID:CEK combination of 10000000100010001000100000000001:3A2A1B68DD2BD9B2EEB25E84C4776668.

mp4split -o video.ism --key=${KID}:${CEK} video-pr.ismv

From HSS PlayReady to HLS (AES-128)


AES_CEK=`cat video.key | hexdump -e '16/1 "%02x"'`

# URL that resolves to video.key

mp4split -o example.ism --key=${KID}:${CEK} \
  --hls.content_key=${AES_CEK} \
  --hls.license_server_url=${AES_LA_URL} \

This will create a server manifest that holds the information that USP needs to stream the encrypted file as HLS with AES-128 applied.

The AES-128 content encryption key in the above example can be created with for instance OpenSSL:

openssl rand 16 > video.key

From HSS PlayReady to HLS (SAMPLE-AES)

Using SAMPLE-AES is possible as well, you would need to follow the Adding SAMPLE-AES Encryption instructions to create the server manifest similar as above with AES-128.