Flussonic Media Server documentation

DRM (content protection)

Description of DRMs Anchor Anchor x2

In HLS specification Apple describes two standard encryption alorithms: AES-128 and SAMPLE-AES. Flussonic supports both of them and also Conax DRM.

This algorithms differs in way of encryption, but are the same for usage:

  • Flussonic retrieves an encryption key from a key server, and URL of this key.
  • Client retrieves from Flussonic this encrypted content and URL of decryption key.
  • Keyserver recieve a request from this client, and then decides, if it should respond with a key or not

If a content was recieved over some safe channel, and client connects to the keyserver over HTTPS, you can most likely expect that client can decrypt video and play it without revealing this decrypted content to the end user.

Mechanics of retrieving keys are equal for video streams and files since 4.5.1 Flussonic fetches keys from key server.

Setting up encryption Anchor Anchor x2

Internally Flussonic store content in unencrypted form. If you enable encryption on HLS, but leave HDS enabled too, any user can play this video without any problems over HDS, bypassing any encryption.

To avoid this, you should manually disable all excessive protocols for specified stream or vod location:

stream channel0 {
  rtsp off;
  rtmp off;
  hds off;
  mpegts off;
}

file vod {
  rtsp off;
  rtmp off;
  hds off;
  mpegts off;
}

Now user can access video only over HLS and DASH.

DRM for VOD files and live Anchor Anchor x2

In this case, external keyserver can't distribute keys directly, because it do now know when file will be opened. So you have to configure file for accessing to a keyserver:

file drm {
  path priv;
  hds off;
  rtmp off;
  rtsp off;
  dash off;
  drm aes128 keyserver=http://192.168.0.80:4500/;
}

With this configuration Flussonic will request keyserver with HTTP GET and ?file= parameter: http://192.168.0.80:4500/?file=drm/bunny.mp4

As a response Flusonic expects data where first 32 bytes should be HEX representation of an encyrption key. Also it expects X-Key-Url HTTP header that will be redirected to a client. This X-Key-Url should be a 16-bytes long decryption key (NOT in HEX form).

Conax DRM Anchor Anchor x2

Example drm config line:
  drm conax keyserver=https://uSeR:Passw0rd@cas-gateway:12346;

See more options at Conax DRM page.

BuyDRM (KeyOS) Anchor Anchor x2

Example drm config line:
  drm buydrm userkey=596f7572-2075-7365-725f-6b6579202020;

See more options at BuyDRM (KeyOS) page.

DRM for DVR Anchor Anchor x2

Flussonic memorize that segments were encrypted with Apple DRM, and can output archived data with the same keyserver URL that was used when this stream was in live.

That is, keyserver should store keys at their old URL, for a time equal to the depth of the archive.