AWS Elemental Integration


PallyCon KMS supports SPEKE (Secure Packager and Encoder Key Exchange), which issues the keys required for Multi DRM packaging in AWS Elemental MediaConvert and MediaPackage.

You can easiliy integrate PallyCon Multi-DRM with AWS Elemental Media Services by setting PallyCon KMS URL to DRM encryption setting of MediaConvert or MediaPackage.

MediaConvert integration

MediaConvert Tutorial Video

This video is a tutorial for enabling DRM encryption on VOD content packaging with AWS Elemental MediaConvert.

Create MediaConvert IAM role

Please refer to IAM Settings AWS Guide Document and proceed as follows.

  1. In the AWS Console, select the IAM service.

  2. Click the Roles tab and select create role.

  3. Select MediaConvert and click the Next: permission button.

  4. Confirm the S3 Access and APIGateway access permissions and click Next: Review button.

    IAM role
    IAM role

  5. Set RoleName to MediaConvert-role and click the create role button.

    Create role
    Create role

Create MediaConvert job and set IAM role

  1. In the AWS Console, select the MediaConvert service.
  2. Click the create job button on the Jobs tab to start job creation.
  3. Select the MediaConvert-role created in the previous step in the IAM role setting section of the Job settings screen.
    MediaConvert role
    MediaConvert role

Set MediaConvert Input

  1. In the Input field, enter the content path to be packaged in s3.
    MediaConvert input
    MediaConvert input

Set MediaConvert Output groups

  1. Add the ouptput to the output groups by pressing the Add button. (DASH ISO for PlayReady and Widevine, Apple HLS for FairPlay and NCG-HLS)

    MediaConvert output
    MediaConvert output

  2. In Custom group name, enter a name that is easy for you to identify.

  3. In the Destination field, type the path on s3 that contains the package-completed file.

    MediaConvert output
    MediaConvert output

  4. Select the DRM encryption option, and then enter the Resource ID, System ID, and URL.

    • Resource ID: It is a value corresponding to the content ID (CID) in the integration specification in DRM Token Guide.
    • System ID: The DRM-specific system id value specified in Dash System ID. You need to set PlayReady and Widevine ID for DASH output(as shown below). Refer to the next sections for HLS output configuration.
      • PlayReady: 9a04f079-9840-4286-ab92-e65be0885f95
      • Widevine: edef8ba9-79d6-4ace-a3c8-27dcd51d21ed
    • Key Provider URL: Enter the following KMS URL. The KMS Token at the end of the URL is an API authentication token that is generated when you sign up PallyCon service, and can be found on the PallyCon Console site.
      • KMS URL format:
    • Certificate ARN: leave it blank
    • Play device compatibility: CENC v1
      DRM encryption
      DRM encryption
  5. Set the Outputs and click the Create button.

    • In case of widevine, it is mandatory to create the video and audio track separately because there are clients that can not play if you do not divide video and audio tracks into output. (click ‘add output’ button to add track)
      MediaConvert output 1
      MediaConvert output 1
      MediaConvert output 2
      MediaConvert output 2
  6. Make public or set permission on the S3 storage to play the generated file stored on it.

HLS configuration for FairPlay DRM

If you want to support Apple devices as well as others, you need to create both ‘DASH ISO’ and ‘Apple HLS’ output groups for a single input. To apply FairPlay DRM to Apple HLS output group, set the encryption options as below.

  • Encryption method: Sample AES
  • Key provider type: SPEKE
  • Resource ID: the same content ID as DASH output
  • System ID: DRM system ID for FairPlay (94ce86fb-07ff-4f43-adb8-93d2fa968ca2)
  • Key provider URL: same as DASH output (PallyCon KMS URL with enc token)
  • the other items: leave them as default

HLS configuration for NCG-HLS

You can also use the ‘Apple HLS’ output group to package HLS content with our proprietary NCG DRM instead of FairPlay DRM. For the NCG-HLS packaging, create an Apple HLS output group and set the DRM encryption options as shown below.

  • Encryption method: AES128
  • Key provider type: SPEKE
  • Resource ID: Enter the same content ID as the DASH output group
  • System ID: NCG HLS system ID (81376844-f976-481e-a84e-cc25d39b0b33)
  • Key Provider URL: PallyCon KMS URL same as DASH output group
  • Other items: leave them as default
NCG-HLS packaging is a method of additionally encrypting the AES128 key file with NCG DRM to improve the security of the clear key encryption. To play NCG-HLS contents, NCG Client SDK provided for each OS such as Android, iOS, and Windows is required, and NCG HLS contents cannot be played in a web browser.

Notes on CMAF Packaging

In addition to DASH-ISO and Apple HLS, CMAF(Common Media Application Format) type output can also be generated through SPEKE integration.

To ensure that CMAF content is supported in as many client environments as possible, including Apple devices, the encryption method in the DRM encryption setting should be set to AES-CBC subsample. Also, the KMS URL you enter in the Key provider URL field must use the URL below that supports CBCS encryption instead of the default SPEKE v1 URL.

Multi-key Packaging Issue

MediaConvert service supports SPEKE v1 based DRM encryption function. Unlike SPEKE API v2 which supports multi-key packaging, v1 supports single-key packaging only. (all of audio and video output tracks are encrypted with the same key). Therefore, DASH or CMAF content packaged with MediaConvert cannot support hardware DRM, which requires the audio and video tracks to be encrypted with separate keys.

Currently, the SPEKE v2 specification is applied to live DASH/CMAF packaging through MediaPackage service, and will be expanded to the VOD packaging function of MediaPackage in the future. (See MediaPackage integration guide below)

MediaPackage integration

Content can be encrypted in real time in conjunction with services such as AWS MediaLive which can upload HLS.

Note: In order to perform DRM packaging in MediaPackage, you must turn off Encryption in the Output Group of MediaLive.

MediaPackage Tutorial Video

This video is a tutorial for enabling DRM encryption on live stream packaging with AWS Elemental MediaPackage.

Create MediaPackage IAM role

  1. Create the same as MediaConvert IAM Authorization, and create only Role Name with SPEKEAccess.

  2. On the Roles tab, select SPEKEAccess role and click the Edit trust relationship button on the Trust relationships tab.

    SPEKEAccess role
    SPEKEAccess role

  3. Change the value of Principal.Service to and click the Update button.

    Update role
    Update role

Create MediaPackage Channel

  1. In the AWS Console, select the MediaPackage service.

  2. Create a channel.

    Create channel
    Create channel

  3. At the endpoints, press the Add button to set the endpoint.

  4. Set the endpoint name, packager settings, etc. according to the desired content specification.

  5. Configure Encryption and Outputs in the same way as MediaConvert Output groups setting no. 4.

  6. Enter the SPEKEAccess Role created in Role ARN.

  7. Click the Save button.

    MediaPackage options
    MediaPackage options

For information on various input values used for Encryption setting of MediaPackage Endpoint, refer to the MediaConvert Integration guide(the previous section).

Multi-key Packaging via SPEKE v2

The MediaPackage service supports multi-key packaging based on SPEKE API v2 for live DASH or CMAF output. Multi-key packaging is a function that encrypts the output video and audio tracks with different keys when DRM encryption is applied, and is necessary to apply hardware DRM such as PlayReady SL3000 or Widevine L1.

If you select SPEKE Version 2.0 in the DASH or CMAF Endpoint settings of the MediaPackage live channel, you can apply multi-key packaging through the following options:

SPEKE v2 option
SPEKE v2 option

You need to input the SPEKE v2 KMS URL when you choose the SPEKE v2 integration. You can find your own KMS Token value on PallyCon Console (Multi-DRM > DRM Setting > Multi-DRM Settings).