Encryption fields - AWS Elemental MediaPackage

Encryption fields

Protect your content from unauthorized use through content encryption and digital rights management (DRM). MediaPackage uses the AWS Secure Packager and Encoder Key Exchange (SPEKE) API to facilitate content encryption and decryption by a DRM provider. Using SPEKE, the DRM provider supplies encryption keys to MediaPackage through the SPEKE API. The DRM provider also supplies licenses to supported media players for decryption. For more information about how SPEKE is used with services and features running in the cloud, see AWS cloud-based architecture in the Secure Packager and Encoder Key Exchange API Specification guide.

Note

To encrypt content, you must have a DRM provider, and be set up to use encryption. For information, see Content encryption and DRM in AWS Elemental MediaPackage.

  1. Choose Encrypt content to serve content with copyright protection.

  2. For Encryption method, choose the encryption method to use. If you don't see your preferred encryption method, confirm you choose the correct container type. The encryption method you choose impacts the DRM system providers you can choose. For supported encryption methods and DRM system providers, see Container and DRM system support with SPEKE.

    • The valid encryption methods for TS container types are:

      • AES-128

      • Sample AES

    • The valid encryption methods for CMAF container types are:

      • CENC

      • CBCS

  3. For DRM systems, choose the DRM system providers you're using to protect your content during distribution. You can choose more than one. If you don't see your DRM system provider, confirm you choose the correct container type and encryption method. For supported DRM system providers, see Container and DRM system support with SPEKE.

    The valid DRM systems are:

    • Clear Key AES-128

    • FairPlay

    • PlayReady

    • Widevine

  4. For Resource ID, enter an identifier for the content. The service sends this to the key server to identify the current endpoint. How unique you make this depends on how fine-grained you want access controls to be. The service does not permit you to use the same ID for two simultaneous encryption processes. The resource ID is also known as the content ID.

    The following example shows a resource ID.

    MovieNight20171126093045

  5. For Key server URL, enter the URL of the API Gateway proxy that you set up to talk to your key server. The API Gateway proxy must reside in the same AWS Region as MediaPackage.

    The following example shows a URL. 

    https://1wm2dx1f33.execute-api.us-west-2.amazonaws.com/SpekeSample/copyProtection

  6. For Role ARN, enter the Amazon Resource Name (ARN) of the IAM role that provides you access to send your requests through API Gateway. Get this from your DRM solution provider.

    The following example shows a role ARN.

    "arn:aws:iam::accountID:role/SpekeAccess

  7. (Optional) For Constant initialization vector enter a 128-bit, 16-byte hex value represented by a 32-character string, used in conjunction with the key for encrypting content. If you don't specify a value, then MediaPackage creates the constant initialization vector (IV).

  8. For Key rotation interval (sec.), enter the frequency (in seconds) of key changes for live workflows, in which content is streamed real time. The service retrieves content keys before the live content begins streaming, and then retrieves them as needed over the lifetime of the workflow. By default, key rotation is 300 seconds (5 minutes), the minimum rotation interval, which is equivalent to setting it to 300. The maximum key rotation interval is 31,536,000 seconds (1 year). If you don't enter an interval, content keys aren't rotated.

    The following example setting causes the service to rotate keys every thirty minutes.

    1800

    For information about key rotation, see Understanding key rotation behavior.