HLS encryption with dynamic key

[Ivars]

Hello,

Is it somehow possible to configure HLS encryption key parameter so Nginx server would request and acquire the encryption key from some other server?

What I want to achieve is the following scenario:

1. User opens webpage on Apache/PHP/MYSQL server which contains Flowplayer
2. Upon the page open apache stores random Session UID in database
3. Flowplayer requests video from Nginx (via nginx-vod-module) with additional information to retrieve Session UID from database (some url parameter or request header)
4. Nginx retrieves Session UID from database (by connecting to apache/php server) and uses this Session UID to generate key and uses it in vod_secret_key parameter.
5. Nginx serves video encrypted with the key generated in step 4.

Module's documentation mentions encryptionKey parameter in Mapping reference: https://github.com/kaltura/nginx-vod-module#source-clip

encryptionKey - a base64 encoded string containing the key (128 bit) that should be used to decrypt the media file.

Is it possible to use this encryptionKey in my scenario or is it used to serve key to decrypt video which is already encrypted with this key?

[erankor]

The encryptionKey field is indeed only used to decrypt previously encrypted MP4 files. It should be possible to accomplish what you need with the latest changes that were added to support FairPlay. You need to enable DRM on the HLS location (vod_drm_enabled on), and use vod_drm_upstream_location & vod_drm_request_uri to configure how nginx-vod-module should access the key server. The key server should return a JSON in this format:

[{
    "key": "AAAAAAAAAAAAAAAAAAAAAA==", 
    "key_id": "BBBBBBBBBBBBBBBBBBBBBB==",
    "iv": "CCCCCCCCCCCCCCCCCCCCCC=="
}]

All fields are 128 bit base64-encoded. key_id is not relevant for HLS, but the module requires it since it's needed in other protocols. The IV is optional. Other than that, you will need to set vod_hls_encryption_key_uri to some URL (can contain nginx variables) since in DRM mode nginx-vod-module does not return the encryption key to the client

[xXxSPYxXx]

Hi! How I can encrypted mp4 files? I am need some guid etc, for use it whis nginx-vod-module.

[erankor]

Not sure I understand the question, what do you want to do ? use the on-the-fly decryption capability of nginx-vod-module ?

[Ivars]

Just a quick clarification - Fairplay support currently is not enabled in binary installation and I will need to compile the module myself - is that correct?

(I have currently installed RPM on Centos from here baseurl = http://installrepo.kaltura.org/releases/rhel7/RPMS/$basearch/)

[erankor]

We pushed a new package today (version 1.6) that has this functionality

[Ivars]

Thats great news! Can I close this thread now or it should stay open for xXxSPYxXx question?

[erankor]

Closing, @xXxSPYxXx please open a separate issue since your question does not seem related to this one

[jessp01]

Note that the packages were pushed to the 11.9.0 repo and not the 'latest' repo, to which they will be copied on Sun. To get them now, you will need to change your repo file accordingly.

in deb, /etc/apt/sources.list.d/kaltura.list, from: deb [arch=amd64] http://installrepo.origin.kaltura.org/repo/apt/debian kajam main to: deb [arch=amd64] http://installrepo.origin.kaltura.org/repo/apt/debian-nightly kajam main

in RPM, /etc/yum.repos.d/kaltura.repo from: http://installrepo.origin.kaltura.org/releases/latest/RPMS/noarch to: http://installrepo.origin.kaltura.org/releases/nightly/RPMS/noarch

or else you can download it directly from: RHEL/CentOS 6: http://installrepo.origin.kaltura.org/repo/releases/11.9.0/RPMS/x86_64/kaltura-nginx-1.8.1-1.x86_64.rpm

RHEL/CentOS 7: http://installrepo.origin.kaltura.org/repo/releases/rhel7/RPMS/x86_64/kaltura-nginx-1.8.1-1.x86_64.rpm

Debian/Ubuntu: http://installrepo.origin.kaltura.org/repo/apt/debian-nightly/pool/main/k/kaltura-nginx/kaltura-nginx_1.8.1-1_amd64.deb

May the source be with you,

Jess Portnoy

Kaltura Connect Virtual Summits 2015 - now on VOD! [connect.mediaspace.kaltura.com]

On Tue, 23 Feb 2016, erankor wrote:

We pushed a new package today (version 1.6) that has this functionality

— Reply to this email directly or view it on GitHub.[AFBqvVkUNT-_9vKmY6Qt7yCUmgsoZdKgks5pnDt-gaJpZM4Hf6b6.gif]