Handling encrypted source content in an HLS source - AWS Elemental MediaLive

Handling encrypted source content in an HLS source

MediaLive can ingest an HLS source that is encrypted according to the HTTP Live Streaming specification.

Supported encryption format

MediaLive supports the following format for encrypted HLS sources:

  • The source content is encrypted with AES-128. MediaLive doesn't support AES-SAMPLE.

  • The source content is encrypted using either static or rotating keys.

  • The manifest includes the #EXT-X-KEY tag with these attributes:

    • The METHOD attribute specifies AES-128.

    • The URI specifies the license server for the encryption key.

    • The IV is blank or specifies the initialization vector (IV) to use. If the IV is blank, MediaLive uses the value in the #EXT-X-MEDIA-SEQUENCE tag as the IV.

  • If both the upstream system and the license server require authentication credentials (user name and password), make sure that the same credentials are used on both servers. MediaLive does not support having different credentials for these two servers.

How decryption works

The content owner sets up the main manifest to include the #EXT-X-KEY with the method (AES-128), the URL to the license server, and the initialization vector (IV). The content owner places the encryption keys on the license server. When the MediaLive channel that uses this source starts, MediaLive obtains the main manifest and reads the #EXT-X-KEY tag for the URL of the license server.

MediaLive connects to the license server and obtains the encryption key. MediaLive starts pulling the content from the upstream system, and decrypts the content using the encryption key and the IV.