AWS Elemental MediaPackage
User Guide

Encryption Fields

Protect your content from unauthorized use through encryption. Digital rights management (DRM) systems provide keys to AWS Elemental MediaPackage for content encryption, and licenses to supported players for decryption.

Note

To encrypt content, you must have a DRM solution provider, and be set up to use encryption. For information, see Using Encryption in AWS Elemental MediaPackage.

  1. To serve content without copyright protection, keep No encryption selected.

  2. To serve content with copyright protection, choose Encrypt content and complete the additional fields as follows:

    1. Resource ID – Identifier that you define for the content, which is sent to the key server to identify the current endpoint. How unique you make this depends on how fine-grained you want access controls to be. The service does not allow you to use the same ID for two simultaneous encryption processes.

      The following example shows a resource ID:

      MovieNight20171126093045
    2. System IDs – Unique identifiers for your streaming protocol and DRM system. Provide up to two IDs for DASH and exactly one for the other streaming protocols. If you provide more than one system ID, enter them on separate lines, and do not separate them with commas or any other punctuation. For a list of common system IDs, see DASH-IF System IDs. If you do not know your IDs, ask your DRM solution provider.

    3. URL – The URL from the API Gateway proxy that you set up to talk to your key server.

      The following example shows a URL:

      https://1wm2dx1f33.execute-api.us-west-2.amazonaws.com/SpekeSample/copyProtection
    4. Role ARN – The Amazon Resource Name (ARN) of the IAM role that provides you access to send your requests through API Gateway. Get this from your DRM solution provider.

      The following example shows a role ARN:

      arn:aws:iam::012345678901:role/SpekeAccess
    5. Certificate ARN – (Optional) Enter a 2048 RSA certificate ARN to use for content key encryption. Use this option only if your DRM key provider supports content key encryption. If you use this and your key provider doesn't support it, the event fails.

      To enter a certificate ARN here, you must have already imported the corresponding certificate into AWS Certificate Manager. Then enter the certificate ARN from ACM here.

    6. Encryption method – Choose Sample-AES for Apple HLS Fairplay or AES-128 for Apple HLS AES-128.

    7. (Optional) Constant initialization vector – A 128-bit, 16-byte hex value represented by a 32-character string that is used with the key for encrypting content.

    8. (Optional) Key rotation interval – The frequency, in seconds, of key changes for live workflows, in which content is streamed real time. The service retrieves content keys before the live content begins streaming, and then retrieves them as needed over the lifetime of the workflow. By default, key rotation is set to 60 seconds, which is equivalent to setting it to 60. To disable key rotation, set this interval to 0 (zero).

      The following example setting causes the service to rotate keys every thirty minutes:

      1800
    9. (Optional) Repeat EXT-X-KEY – Boolean that indicates whether to repeat the key before every segment of the manifest. By default, the key is written just once, after the header and before the segments. If you choose Repeat EXT-X-KEY, the manifest is written as header, key, segment, key, segment, key, and so on, with every segment preceded by the key. Choose this according to the needs of the player. Choosing this might result in an increase in client requests to the DRM server.