During encoding, your video content is safe thanks to the credentials protection of Axinom Encoding Services. Moreover, the source files are also removed. Learn how this works.


This article discusses the content security during encoding. You can find an overview of the entire encoding process in the Encoding Overview article.

During encoding, your content is safe thanks to credentials protection and the removal of the source files.

Credentials Protection

Every time secrets are passed to the Encoding API, they can be passed in an encrypted form.

Credentials protection can be used in the following cases:

Section Activation Encrypted Elements

Any Storage Provider

"CredentialsProtection": "Encrypted"


Any Message Publisher

"CredentialsProtection": "Encrypted"



"KeysProtection": "Encrypted"

ManagementKey, KeySeed, Thumbprints

To encrypt a secret:

  1. Download the Encoding Service certificate using the Encoding API (GET /certificate) (the call requires authentication) and decode from base64

  2. Extract the public key from the certificate

  3. Encrypt the secret with the public key using the RSA algorithm and PKCS #1 padding

  4. Use the base64 encoded encrypted result instead of the original secret string

See the example code in C# below (click to expand).
// Read raw base64 text from file
var base64EncodedCert = await File.ReadAllTextAsync(@"path_to_file_with_base64_encoded_cert.txt");

// Convert it to bytes array
var certAsBytes = Encoding.ASCII.GetBytes(base64EncodedCert);

// Create an X.509 certificate object from bytes
using var x509 = new X509Certificate2(certAsBytes);

// Get a reference to public key
using var rsa = x509.GetRSAPublicKey();

// Convert your credentials secret to a byte array
var password = "credentials secret";
var dataToEncrypt = Encoding.UTF8.GetBytes(password);

// Encrypt using RSA with PKCS #1 padding
var encrypted = rsa.Encrypt(dataToEncrypt, RSAEncryptionPadding.Pkcs1);

// Encode encrypted in base64
var base64Encoded = Convert.ToBase64String(encrypted);


When you encrypt the credentials value with our certificate, please use the RSA encryption with PKCS #1 padding.

You can use the Credentials Protection Tool to encrypt credentials - it implements the algorithm described above.
Axinom recommends to always use Credentials Protection in production scenarios.

Removal of the Source Files

The Encoding Service is a stateless service. You upload a video to the input storage. The video is processed. The encoded and protected video is stored to the output storage. Nothing about the video stays with the Encoding Service (other than the log files). But what is with the input storage? Unlike the output storage, the input storage contains the content in clear (=not encrypted). To reduce the risks, the time that the video spends in clear should be minimized.

To facilitate this, the Encoding Service can be instructed to delete the source files once the job is successfully processed. The content is deleted even if the job fails.

The on-premise version of the Encoding Service won’t delete the source files if the job fails.
    "ContentProcessing" : {
        "DeleteFilesFromSourceWhenDone": true,

It is recommended to activate this option for increased content security.

If you do not possess the original video files (e.g. you purchase them from the content owner), be careful with deleting the source files from the input storage, if it is the only unencrypted copy you have. Once processed, the video cannot be returned back to the original form. However, if you store additional clear copies of the videos, be sure you apply the necessary security measures to protect against any relevant threat.
To use this option, the credentials used for the input storage shall grant the write access, not only read access.

Revision History

The table below lists the document versions and any changes to them.

Version Date Description


April 1, 2021

  • Initial version.