AWS Elemental Integration
PallyCon KMS supports SPEKE (Secure Packager and Encoder Key Exchange), which issues the keys required for Multi DRM packaging in AWS Elemental MediaConvert and MediaPackage.
You can easiliy integrate PallyCon Multi-DRM with AWS Elemental Media Services by setting PallyCon KMS URL to
DRM encryption setting of MediaConvert or MediaPackage.
MediaConvert Tutorial Video
This video is a tutorial for enabling DRM encryption on VOD content packaging with AWS Elemental MediaConvert.
Create MediaConvert IAM role
Please refer to IAM Settings AWS Guide Document and proceed as follows.
In the AWS Console, select the IAM service.
Rolestab and select
MediaConvertand click the
Confirm the S3 Access and APIGateway access permissions and click
Set RoleName to
MediaConvert-roleand click the
Create MediaConvert job and set IAM role
- In the AWS Console, select the MediaConvert service.
- Click the
create jobbutton on the Jobs tab to start job creation.
- Select the
MediaConvert-rolecreated in the previous step in the IAM role setting section of the Job settings screen.
Set MediaConvert Input
- In the Input field, enter the content path to be packaged in s3.
Set MediaConvert Output groups
Add the ouptput to the output groups by pressing the Add button. (DASH ISO for PlayReady and Widevine, Apple HLS for FairPlay and NCG-HLS)
In Custom group name, enter a name that is easy for you to identify.
In the Destination field, type the path on s3 that contains the package-completed file.
Select the DRM encryption option, and then enter the Resource ID, System ID, and URL.
- Resource ID: It is a value corresponding to the content ID (CID) in the integration specification in DRM Token Guide.
- System ID: The DRM-specific system id value specified in Dash System ID. You need to set PlayReady and Widevine ID for DASH output(as shown below). Refer to the next sections for HLS output configuration.
- Key Provider URL: Enter the following KMS URL. The
KMS Tokenat the end of the URL is an API authentication token that is generated when you sign up PallyCon service, and can be found on the PallyCon Console site.
- KMS URL format:
- KMS URL format:
- Certificate ARN: leave it blank
- Play device compatibility: CENC v1
Set the Outputs and click the Create button.
- In case of widevine, it is mandatory to create the video and audio track separately because there are clients that can not play if you do not divide video and audio tracks into output. (click ‘add output’ button to add track)
Make public or set permission on the S3 storage to play the generated file stored on it.
HLS configuration for FairPlay DRM
If you want to support Apple devices as well as others, you need to create both ‘DASH ISO’ and ‘Apple HLS’ output groups for a single input. To apply FairPlay DRM to
Apple HLS output group, set the encryption options as below.
- Encryption method:
- Key provider type:
- Resource ID: the same content ID as DASH output
- System ID: DRM system ID for FairPlay (
- Key provider URL: same as DASH output (PallyCon KMS URL with enc token)
- the other items: leave them as default
HLS configuration for NCG-HLS
You can also use the ‘Apple HLS’ output group to package HLS content with our proprietary NCG DRM instead of FairPlay DRM. For the
NCG-HLS packaging, create an
Apple HLS output group and set the DRM encryption options as shown below.
- Encryption method:
- Key provider type:
- Resource ID: Enter the same content ID as the DASH output group
- System ID: NCG HLS system ID (
- Key Provider URL: PallyCon KMS URL same as DASH output group
- Other items: leave them as default
NCG-HLSpackaging is a method of additionally encrypting the AES128 key file with NCG DRM to improve the security of the clear key encryption. To play
NCG-HLScontents, NCG Client SDK provided for each OS such as Android, iOS, and Windows is required, and NCG HLS contents cannot be played in a web browser.
Notes on CMAF Packaging
In addition to
CMAF(Common Media Application Format) type output can also be generated through SPEKE integration.
To ensure that CMAF content is supported in as many client environments as possible, including Apple devices, the encryption method in the
DRM encryption setting should be set to
AES-CBC subsample. Also, the KMS URL you enter in the
Key provider URL field must use the URL below that supports CBCS encryption instead of the default SPEKE v1 URL.
Multi-key Packaging Issue
MediaConvert service supports
SPEKE v1 based DRM encryption function. Unlike SPEKE API v2 which supports multi-key packaging, v1 supports single-key packaging only. (all of audio and video output tracks are encrypted with the same key).
Therefore, DASH or CMAF content packaged with MediaConvert cannot support hardware DRM, which requires the audio and video tracks to be encrypted with separate keys.
Content can be encrypted in real time in conjunction with services such as AWS MediaLive which can upload HLS.
Note: In order to perform DRM packaging in MediaPackage, you must turn off Encryption in the Output Group of MediaLive.
MediaPackage Tutorial Video
This video is a tutorial for enabling DRM encryption on live stream packaging with AWS Elemental MediaPackage.
Create MediaPackage IAM role
Create the same as MediaConvert IAM Authorization, and create only Role Name with SPEKEAccess.
On the Roles tab, select SPEKEAccess role and click the Edit trust relationship button on the Trust relationships tab.
Change the value of Principal.Service to mediapackage.amazonaws.com and click the Update button.
Create MediaPackage Channel
In the AWS Console, select the MediaPackage service.
Create a channel.
At the endpoints, press the Add button to set the endpoint.
Set the endpoint name, packager settings, etc. according to the desired content specification.
Configure Encryption and Outputs in the same way as MediaConvert Output groups setting no. 4.
Enter the SPEKEAccess Role created in Role ARN.
Click the Save button.
MediaConvert Integrationguide(the previous section).
Multi-key Packaging via SPEKE v2
The MediaPackage service supports multi-key packaging based on SPEKE API v2 for live DASH or CMAF output. Multi-key packaging is a function that encrypts the output video and audio tracks with different keys when DRM encryption is applied, and is necessary to apply hardware DRM such as PlayReady SL3000 or Widevine L1.
If you select
SPEKE Version 2.0 in the DASH or CMAF Endpoint settings of the MediaPackage live channel, you can apply multi-key packaging through the following options:
You need to input the
SPEKE v2 KMS URL when you choose the SPEKE v2 integration. You can find your own KMS Token value on PallyCon Console (Multi-DRM > DRM Setting > Multi-DRM Settings).
SPEKE v2 KMS URL: https://kms.pallycon.com/v2/cpix/getKey?enc-token=YOUR-KMS-TOKEN