Flussonic Media Server documentation

DRM content protection in Flussonic Media Server

DRM (Digital Rights (Restrictions) Management) is a content protection method where the content is encrypted and decrypted by using a pair of keys. The keys are generated by a key server of a DRM system.

Flussonic Media Server supports the following DRM systems: KeyOS and Conax, and it also supports AES128 encryption.

Many DRM servers rotate license keys in order to achieve better security. Flussonic rotates keys by itself — it requests a new key from a DRM key server every 10 minutes.

The mechanism of DRM Anchor Anchor x2

In the HLS specification Apple describes two standard encryption alorithms: AES-128 and SAMPLE-AES. Flussonic Media Server supports both of them as well as Conax DRM.

The algorithms use different encryption methods, but they all work in the same way:

  1. Flussonic requests and retrieves an encryption key from a key server together with the URL of this key.
  2. The client retrieves from Flussonic encrypted content and the URL of a decryption key.
  3. The key server recieves a request from this client and then decides if it should respond with a decryption key or not.

If the client receives video content from Flussonic over a safe channel and connects to the key server over HTTPS, you can most likely expect that it can decrypt video and play it without revealing this decrypted content to illegitimate users.

Mechanics of retrieving keys are equal for video streams and files.

Setting up encryption Anchor Anchor x2

Flussonic Media Server stores all content in an unencrypted form. Content gets encrypted when Flussonic transmits it to the client.

To turn on encryption, add the drm line to the configuration of a stream or VOD location. Then specify the DRM encryption method and the DRM key server. Later on this page you will find examples of configurations for different DRMs.

After you have saved the configuration, Fussonic will encrypt content for all protocols that can work with the specified DRM.

Warning! Make sure you disable all protocols that do not support the specified DRM.

If an encryption method is supported by HLS, but you left the HDS protocol enabled, any user can play this video over HDS, bypassing encryption.

To avoid this, you should manually disable all excessive protocols for the specified stream or VOD location:

stream channel0 {
  rtsp off;
  rtmp off;
  hds off;
  mpegts off;
  dash off;
}

file vod {
  rtsp off;
  rtmp off;
  hds off;
  mpegts off;
  dash off;
}

Now a user can access video only over HLS.

DRM for VOD files and live streams Anchor Anchor x2

In this case, the external key server cannot distribute keys directly, because it does not know when a file will be opened.

So you need to configure the file for accessing a key server directly:

file drm {
  path priv;
  hds off;
  rtmp off;
  rtsp off;
  dash off;
  drm aes128 keyserver=http://192.168.0.80:4500/;
}

With this configuration Flussonic will request the key server with HTTP GET and ?file= parameter: http://192.168.0.80:4500/?file=drm/bunny.mp4

As a response Flusonic expects data where first 32 bytes should be HEX representation of an encyrption key. Also it expects X-Key-Url HTTP header that will be redirected to a client. This X-Key-Url should be a 16-bytes long decryption key (NOT in HEX form).

Conax DRM Anchor Anchor x2

Example of configuration, the drm line:

  drm conax keyserver=https://uSeR:Passw0rd@cas-gateway:12346;

For more options see Conax DRM page.

BuyDRM (KeyOS) Anchor Anchor x2

Example of configuration, the drm line:

  drm keyos userkey=596f7572-2075-7365-725f-6b6579202020;

For more options see BuyDRM (KeyOS) page.

DRM protection of DVR archives Anchor Anchor x2

Archives are encrypted segment-by-segment with one key, and every 10 minutes Flussonic uses a new key for each next group of segments.

Important! For DRM protection to work on DVR, the key server must store all old keys (at old URLs) for a time equal to the depth of the archive.