PallyCon KMS supports SPEKE (Secure Packager and Encoder Key Exchange), which issues the keys required for Multi DRM packaging in AWS Elemental MediaConvert and MediaPackage.
PallyCon KMS URL may be set to the URL of DRM encryption setting of AWS Elemental, then the link is completed easily. This guide explains how to integrate with MediaConvert or MediaPackage service.
This video is a tutorial for enabling DRM encryption on MediaConvert and playing the DASH VOD DRM content.
For optimal playback, select ‘1080p’ as the video quality and enable subtitle (Korean or English) before starting playback.
Please refer to IAM Settings AWS Guide Document and proceed as follows.
Rolestab and select
MediaConvertand click the
Confirm the S3 Access and APIGateway access permissions and click
Next: Review button.
Set RoleName to
MediaConvert-role and click the
create role button.
create jobbutton on the Jobs tab to start job creation.
MediaConvert-rolecreated in the previous step in the IAM role setting section of the Job settings screen.
Add the ouptput to the output groups by pressing the Add button. (Dash ISO for PlayReady and Widevine, Apple HLS for FairPlay)
In Custom group name, enter a name that is easy for you to identify.
In the Destination field, type the path on s3 that contains the package-completed file.
Select the DRM encryption option, and then enter the Resource ID, System ID, and URL.
enc-tokenat the end of the URL is an API authentication token that is generated when you sign up PallyCon service, and can be found on the PallyCon Console site.
Set the Outputs and click the Create button.
Make public or set permission on the S3 storage to play the generated file stored on it.
If you want to support Apple devices as well as others, you need to create both ‘DASH ISO’ and ‘Apple HLS’ output groups for a single input. Please set the below DRM encryption parameters in Apple HLS group.
In addition to
CMAF(Common Media Application Format) type output can also be generated through SPEKE integration.
However, at this time, Apple devices only support
AES CBC encryption and Windows(Edge, IE browser) only support
AES CTR encryption, so it is not yet possible to support all platforms with one CMAF content.
Content can be encrypted in real time in conjunction with services such as AWS MediaLive which can upload HLS.
Note: In order to perform DRM packaging in MediaPackage, you must turn off Encryption in the Output Group of MediaLive.
Create the same as MediaConvert IAM Authorization, and create only Role Name with SPEKEAccess.
On the Roles tab, select SPEKEAccess role and click the Edit trust relationship button on the Trust relationships tab.
Change the value of Principal.Service to mediapackage.amazonaws.com and click the Update button.
In the AWS Console, select the MediaPackage service.
Create a channel.
At the endpoints, press the Add button to set the endpoint.
Set the endpoint name, packager settings, etc. according to the desired content specification.
Configure Encryption and Outputs in the same way as MediaConvert Output groups setting no. 4.
Enter the SPEKEAccess Role created in Role ARN.
Click the Save button.
Additional Configurationin the Encryption option of a MediaPackage Endpoint.