Flussonic Media Server documentation

DRM content protection in Flussonic Media Server

DRM (Digital Rights (Restrictions) Management) is a content protection method where the content is encrypted and decrypted by using a pair of keys. The keys are generated by the key server of a DRM system.

Flussonic Media Server supports the following DRM systems:

Flussonic also supports AES128 encryption.

Many DRM servers rotate license keys in order to achieve better security. Flussonic rotates keys by itself — it requests a new key from a DRM key server every 10 minutes.

The mechanism of DRM Anchor Anchor x2

In the HLS specification Apple describes two standard encryption alorithms: AES-128 and SAMPLE-AES. Flussonic Media Server supports both of them as well as a number of DRM systems.

The algorithms use different encryption methods, but they all work in the same way:

  1. Flussonic requests and retrieves an encryption key from a key server together with the URL of this key.
  2. The client retrieves from Flussonic encrypted content and the URL of a decryption key.
  3. The key server recieves a request from this client and then decides if it should respond with a decryption key or not.

If the client receives video content from Flussonic over a safe channel and connects to the key server over HTTPS, you can most likely expect that it can decrypt video and play it without revealing this decrypted content to illegitimate users.

Mechanics of retrieving keys are equal for video streams and files.

Setting up encryption in general Anchor Anchor x2

Flussonic Media Server stores all content in an unencrypted form. Content gets encrypted when Flussonic transmits it to the client.

To turn on encryption, add the drm line to the configuration of a stream or VOD location. Then specify the DRM encryption method and the DRM key server.

stream channel0 {
  url udp://239.0.0.1:1234;
  drm aes128 keyserver=http://192.168.0.80:4500/;
}

Look for the settings for individual DRMs in separate sections (see the links earlier on this page).

After you have saved the configuration, Fussonic will encrypt content for all protocols that can work with the specified DRM.

Warning! Make sure you disable all protocols that do not support the specified DRM. If an encryption method is supported by HLS, but you left the HDS protocol enabled, any user can play this video over HDS, bypassing encryption.

To avoid this, you should manually disable all excessive protocols for the specified stream or VOD location:

stream channel0 {
  url udp://239.0.0.1:1234;
  rtsp off;
  rtmp off;
  hds off;
  mpegts off;
  dash off;
  drm aes128 keyserver=http://192.168.0.80:4500/;
}

file vod {
  rtsp off;
  rtmp off;
  hds off;
  mpegts off;
  dash off;
  drm aes128 keyserver=http://192.168.0.80:4500/;
}

Now a user can access video only over HLS.

DRM for VOD files Anchor Anchor x2

In this case, the external key server cannot distribute keys directly, because it does not know when a file will be opened.

So you need to configure the file for accessing a key server directly:

file drm {
  path priv;
  hds off;
  rtmp off;
  rtsp off;
  dash off;
  drm aes128 keyserver=http://192.168.0.80:4500/;
}

With this configuration Flussonic will request the key server with HTTP GET and ?file= parameter: http://192.168.0.80:4500/?file=drm/bunny.mp4

As a response Flusonic expects data where first 32 bytes should be HEX representation of an encyrption key. Also it expects X-Key-Url HTTP header that will be redirected to a client. This X-Key-Url should be a 16-bytes long decryption key (NOT in HEX form).

DRM protection of DVR archives Anchor Anchor x2

Archives are encrypted segment-by-segment with one key, and every 10 minutes Flussonic uses a new key for each next group of segments.

Important! For DRM protection to work on DVR, the key server must store all old keys (at old URLs) for a time equal to the depth of the archive.