{{ page.title }}

What is HLS encryption?

When using HTTP Live Streaming Encryption (HLSe) the content is encrypted with the AES 128 standard, and the manifest contains a link to a key that allows the decryption of the HLS content. This alone is not providing complete security, since once the key is obtained, the content can be easily decrypted and redistributed. There are few mechanisms in place that allow protection of the key, such as serving it over HTTPs, or different token authentication models. HLSe does secure the content against most standard users trying to get the content, but is not considered DRM level content protection. {{ site.product_short }} supports HLS encryption in Brightcove Players. For more information on Brightcove Player support, see Brightcove Player System Requirements. Also check out the limitations section below.

How does Brightcove protect your content using HLS encryption?

Apple HTTP Live Streaming (HLS), independent of encryption, is a video serving protocol that uses different bit rates. {{ site.product_short }} supports creating multiple renditions that switch intelligently between renditions as network bandwidth changes and as service fluctuates. HLS essentially breaks a video into a sequence of small file downloads, each loading one short chunk, or segment, of the video at a time over HTTP.

{{ site.product_short }} supports encryption of video renditions for Apple HLS so that publishers can protect long form video content delivered to devices via HLS. HLS encryption protects content by adding AES to our standard HLS solution. When implementing encryption for Apple HLS, {{ site.product_short }} both encrypts each of the small file segments of the video and securely delivers the files that handle rendition selection.

Supported Features

In addition to utilizing the AES specification for encrypting electronic data, HLS encryption further protects content in the following manner:

• Each segment file is encrypted
• The HLS manifest (.m3u8 file) delivered by {{ site.product_short }} contains links to the keys for each segment
• By default, keys are rotated every 10 minutes; you can specify the encryption_key_rotation_period in custom ingest profiles.
• To add encryption to your HLS renditions for accounts enabled for Dynamic Delivery, simply submit a request to Brightcove Support to enable HLSe for the account. (For accounts already enabled for HLSe, if your account is enabled for Dynamic Delivery, encryption will continue to be applied to all HLS renditions.)
• To add encryption to your HLS renditions in accounts using the legacy ingest system (non-Dynamic Delivery), add the encryption_method and encryption_key_rotation_period fields to each of the HLS renditions defined in your ingestion profile:

  {
    "media_type": "video",
    "reference_id": "ts0",
    "format": "ts",
    "type": "segmented",
    "audio_codec": "aac",
    "audio_bitrate": 64,
    "video_codec": "h264",
    "encryption_method": "aes-128",
    "encryption_key_rotation_period": 10,
    "video_bitrate": 450,
    "decoder_bitrate_cap": 771,
    "decoder_buffer_size": 1028,
    "keyframe_rate": 0.5,
    "max_frame_rate": 30,
    "width": 480,
    "height": 270,
    "h264_profile": "baseline"
  

What happens after HLS encryption implementation

HLS encryption delivers secure multiple bitrate encoding wherein each rendition and each segment of each rendition is protected in multiple ways. HLS encrypted videos are available for play on desktop and mobile devices when the first rendition of a video is uploaded and encrypted. Once implemented, all videos uploaded thereafter will be protected using HLS encryption. HLS encryption adds no detectable change to playback of videos on devices. HLS encryption only affects the HLS renditions of a video file, it has no impact on MP4 renditions.

Limitations

• HLS encryption applies to all non-DRM HLS renditions in your account. If you have promotional or other videos you want to deliver without encryption, you can upload them to a different {{ site.product_short }} account without HLS encryption enabled.
• For videos ingested using the legacy ingest system, {{ site.product_short }} does not support encrypting HLS renditions uploaded to {{ site.product_short }} before the implementation of HLS encryption. Previously uploaded HLS content remains unencrypted. You must retranscode videos uploaded before HLS encryption to protect them. This does not apply to videos ingested using the Dynamic Delivery system.
• {{ site.product_short }} does not show an indicator to identify HLS encrypted videos in the Media module.
• If a user plays an HLS encrypted video on an Apple device and then attempts to replay it after the TTL has expired, playback will fail to start, and will not provide an alert message to the user.
• When using the Brightcove Player, HLS playback is not supported on IE8 or IE9. These devices will fall back to MP4.
• HLSe is supported in the Android SDK and will be supported on older versions with the VisualOn component. HLSe should also work on 4.x with the HTML5 player. For more information on the support of HLSe on Android devices, see Android Supported Media Formats.
• For HTML5 players, HLSe support is completely determined by the underlying OS/device.
• If you elect to terminate HLS encryption, encryption will be removed from all videos in the account - no re-transcoding is required.
• Currently, HLSe content is not supported with offline playback using the Brightcove Native SDK for Android, iOS or tvOS.