Protecting Videos with HLS Encryption

Product(s)
Video Cloud
Role(s)
Studio User
Task(s)
Manage Videos
Protect Videos
Topic(s)
DRM

This topic describes how to protect your videos playing on desktop and mobile devices with the Video Cloud HLS encryption feature. Video Cloud HLS encryption must be enabled for your account if you wish to use it - contact your Account Manager for more information.

What is Video Cloud HLS encryption?

HTTP Live Streaming Encryption (HLSe) lets you send encrypted video over HTTP for playback on desktop and mobile devices. It utilizes the Advanced Encryption Standard (AES) as well as other technologies to seamlessly protect content from non-authorized streaming, piracy, and redistribution by others, with no detectable difference to video playback. Video Cloud supports HLS encryption in Brightcove players. For more information on Brightcove Player support, see Brightcove Player System Requirements.

Adding Encryption to HLS renditions in Ingest Profiles

Encryption for HLS renditions is added during the ingestion process. For information on how to add encryption settings to the HLS renditions for your custom ingest profiles, see the HLS encryption (HLSe) developer document.

How does Video Cloud protect your content using HLS encryption?

Apple HTTP Live Streaming (HLS), independent of encryption, is a video serving protocol that uses different bit rates. Video Cloud supports creating multiple renditions that switch intelligently between renditions as network bandwidth changes and as service fluctuates. HLS essentially breaks a video into a sequence of small file downloads, each loading one short chunk, or segment, of the video at a time over HTTP.

Note: Apple requires HLS for long-form videos, that is, videos greater than 5 Mb, or longer than 10 minutes. In order to play videos longer than approximately 10 minutes on iOS devices, regardless of encryption, you must create HLS renditions.

Video Cloud supports encryption of video renditions for Apple HLS so that publishers can protect long form video content delivered to devices via HLS. Video Cloud HLS encryption protects content by adding AES to our standard HLS solution. When implementing encryption for Apple HLS, Video Cloud both encrypts each of the small file segments of the video and securely delivers the files that handle rendition selection.

Supported Features

In addition to utilizing the AES specification for encrypting electronic data, Video Cloud HLS encryption further protects content in the following manner:

  • Each segment file is encrypted
  • The HLS manifest (.m3u8 file) delivered by Video Cloud contains links to the keys for each segment
  • By default, keys are rotated every 10 minutes; you can specify the encryption_key_rotation_period in custom ingest profiles.
  • To add encryption to your HLS renditions for accounts enabled for Dynamic Delivery, simply submit a request to Brightcove Support to enable HLSe for the account. (For accounts already enabled for HLSe, if your account is enabled for Dynamic Delivery, encryption will continue to be applied to all HLS renditions.)
  • To add encryption to your HLS renditions in accounts using the legacy ingest system (non-Dynamic Delivery), add the encryption_method and encryption_key_rotation_period fields to each of the HLS renditions defined in your ingestion profile:
    {
      "media_type": "video",
      "reference_id": "ts0",
      "format": "ts",
      "type": "segmented",
      "audio_codec": "aac",
      "audio_bitrate": 64,
      "video_codec": "h264",
      "encryption_method": "aes-128",
      "encryption_key_rotation_period": 10,
      "video_bitrate": 450,
      "decoder_bitrate_cap": 771,
      "decoder_buffer_size": 1028,
      "keyframe_rate": 0.5,
      "max_frame_rate": 30,
      "width": 480,
      "height": 270,
      "h264_profile": "baseline"
    

Note: Video encryption is not by itself a strong form of content protection. If content security is critical for your organization, you should employ DRM protection. Contact your Account Manager for details about bundling HLS encryption and DRM protection so that you can secure your content wherever it plays.

What happens after HLS encryption implementation

Video Cloud HLS encryption delivers secure multiple bitrate encoding wherein each rendition and each segment of each rendition is protected in multiple ways. HLS encrypted videos are available for play on desktop and mobile devices when the first rendition of a video is uploaded and encrypted. Once implemented, all videos uploaded thereafter will be protected using HLS encryption. Video Cloud HLS encryption adds no detectable change to playback of videos on devices. Video Cloud HLS encryption only affects the HLS renditions of a video file, it has no impact on MP4 renditions.

Limitations

  • HLS encryption applies to all non-DRM HLS renditions in your account. If you have promotional or other videos you want to deliver without encryption, you can upload them to a different Video Cloud account without HLS encryption enabled.
  • Video Cloud does not support encrypting HLS renditions uploaded to Video Cloud before the implementation of HLS encryption. Previously uploaded HLS content remains unencrypted. You must retranscode videos uploaded before HLS encryption to protect them.
  • Video Cloud does not show an indicator to identify HLS encrypted videos in the Media module.
  • If a user plays an HLS encrypted video on an Apple device and then attempts to replay it after the TTL has expired, playback will fail to start, and will not provide an alert message to the user.
  • When using the Brightcove Player, HLS playback is not supported on IE8 or IE9. These devices will fall back to MP4.
  • HLSe is supported in the Android SDK and will be supported on older versions with the VisualOn component. HLSe should also work on 4.x with the HTML5 player. For more information on the support of HLSe on Android devices, see Android Supported Media Formats.
  • For HTML5 players, HLSe support is completely determined by the underlying OS/device.
  • If you elect to terminate Video Cloud HLS encryption, newly uploaded videos will not be protected; however, previously encrypted HLS renditions will fail to play, and will require retranscoding to play.
  • Currently, HLSe content is not supported with offline playback using the Brightcove Native SDK for Android, iOS or tvOS.