Mosaic products documentation: Concepts, API Reference, Technical articles, How-to, Downloads and tools

Protect a video

This article is a part of the Encoding Quick Start Guide.

In this section, we will extend the video encoding process as described before with a DRM protection step.

DRM protection involves video encryption using a symmetric algorithm. For this, we need a secure encryption key.

Axinom Key Service fulfills this purpose - it generates encryption keys upon request.

Axinom Key Service supports a number of different protocols for key acquisition (see Key Acquisition API). However, with Axinom Encoding you don’t need to talk directly to the Key Service. Thanks to a so called " DRM Managed Mode" it is enough to provide your Key Service credentials to the Encoding Service (DRM Settings). Then the Encoding Service will connect to the Key Service and acquire the necessary key.

ContentKey ManagedMode
Figure 1. Interactions between Encoding and Key Service

To apply DRM protection to a video follow these steps:

  1. Create a DRM Key Service configuration

  2. Add DRM Settings to a Job Request

  3. Run an encoding job

  4. Store the generated keyId

Create a DRM Key Service configuration

If you haven’t done this yet, in Axinom Portal go to My Mosaic / DRM and click "Acquire Credentials".

This creates your DRM configuration - for the License Service and for the Key Service.

Store the generated Management Keys security. Don’t lose them - they are not recoverable (although, they can be reset by turning to Axinom Support).

The values you need for the next step:

  • Key Service Management API URL

  • Key Service Tenant Id

  • Key Service Management Key

  • Key Service Key Seed ID.

Add DRM Settings to a Job Request

Add the DRM-attributes to the ContentProcessing-element as shown below:

    "ContentProcessing": {
        "DrmProtection": "Managed",
        "DrmManaged": {
            "ApiUrl": "<Key Service Management API URL>",
            "TenantId": "<Key Service Tenant Id>",
            "ManagementKey": "<Key Service Management Key>" (encrypted),
            "KeySeed": "<Key Service Key Seed ID>" (encrypted),
            "Thumbprints": "Axinom Key Server Production,Axinom Key Server Testing,AxinomKeyServerTesting" (encrypted),
            "MultiKey": false,
            "Proxy": false,
            "KeysProtection": "Encrypted"

Apply Credentials Protection to the Management Key, Key Seed ID and the Thumbprints before adding them to the Job Request (use Credentials Protection Tool).

Run an encoding job

Now encode a video, same way as described in Encode a video.

Store the generated keyId

When you start an encoding job requiring DRM, you will receive the assigned keyId immediately in an HTTP-response:

    "JobId": "6a062671-596a-4f09-acfc-0ab800f9e3f1",
    "ExternalId": "<job_reference_id>",
    "ExternalType": "movie",
    "KeyId": "5a601de9-6075-461b-955c-0a155b93b0d3"

This is not the encryption key itself (the key is not stored anywhere for security reasons). But it is a reference to the encryption key.

With this keyId, Axinom DRM License Service can reconstruct the original encryption key. This is possible due to the usage of a so called KeySeed-model. (KeySeed-model is explained in the respective chapter of What is DRM? article.)

Play the protected video

Now you can play the newly encoded video as described in Play an existing DRM-protected video but use your own protected video URL:

  • Instead of the test vectors, paste an URL to your DASH manifest.

  • In the Content Keys field paste your keyId (just the value of the keyId, it is enough).

  • Provide your Communication Key and Communication Key Id (from your License Service configuration under My Mosaic / DRM).

If you generate an entitlement message yourself, use for it the keyId you received (see Create an entitlement message).