Protecting Videos with HLS Encryption
What is HLS encryption?
When using HTTP Live Streaming Encryption (HLSe) the content is encrypted with the AES 128 standard, and the manifest contains a link to a key that allows the decryption of the HLS content. This alone is not providing complete security, since once the key is obtained, the content can be easily decrypted and redistributed. There are few mechanisms in place that allow protection of the key, such as serving it over HTTPs, or different token authentication models. HLSe does secure the content against most standard users trying to get the content, but is not considered DRM level content protection. Beacon supports HLS encryption in Brightcove Players. For more information on Brightcove Player support, see Brightcove Player System Requirements. Also check out the limitations section below.
How does Brightcove protect your content using HLS encryption?
Apple HTTP Live Streaming (HLS), independent of encryption, is a video serving protocol that uses different bit rates. Beacon supports creating multiple renditions that switch intelligently between renditions as network bandwidth changes and as service fluctuates. HLS essentially breaks a video into a sequence of small file downloads, each loading one short chunk, or segment, of the video at a time over HTTP.
Beacon supports encryption of video renditions for Apple HLS so that publishers can protect long form video content delivered to devices via HLS. HLS encryption protects content by adding AES to our standard HLS solution. When implementing encryption for Apple HLS, Beacon both encrypts each of the small file segments of the video and securely delivers the files that handle rendition selection.
In addition to utilizing the AES specification for encrypting electronic data, HLS encryption further protects content in the following manner:
- Each segment file is encrypted
- The HLS manifest (.m3u8 file) delivered by Beacon contains links to the keys for each segment
- To add encryption to your HLS renditions for accounts enabled for Dynamic Delivery, simply submit a request to Brightcove Support to enable HLSe for the account. (For accounts already enabled for HLSe, if your account is enabled for Dynamic Delivery, encryption will continue to be applied to all HLS renditions.)
What happens after HLS encryption implementation
HLS encryption delivers secure multiple bitrate encoding wherein each rendition and each segment of each rendition is protected in multiple ways. HLS encrypted videos are available for play on desktop and mobile devices when the first rendition of a video is uploaded and encrypted. Once implemented, all videos uploaded thereafter will be protected using HLS encryption. HLS encryption adds no detectable change to playback of videos on devices. HLS encryption only affects the HLS renditions of a video file, it has no impact on MP4 renditions.
- HLS encryption applies to all non-DRM HLS renditions in your account. If you have promotional or other videos you want to deliver without encryption, you can upload them to a different Beacon account without HLS encryption enabled.
- Beacon does not show an indicator to identify HLS encrypted videos in the Media module.
- If a user plays an HLS encrypted video on an Apple device and then attempts to replay it after the TTL has expired, playback will fail to start, and will not provide an alert message to the user.
- HLSe is supported in the Android SDK and will be supported on older versions with the VisualOn component. HLSe should also work on 4.x with the HTML5 player. For more information on the support of HLSe on Android devices, see Android Supported Media Formats.
- For HTML5 players, HLSe support is completely determined by the underlying OS/device.
- If you elect to terminate HLS encryption, encryption will be removed from all videos in the account - no re-transcoding is required.
- Currently, HLSe content is not supported with offline playback using the Brightcove Native SDK for Android, iOS or tvOS.