Quickstart: Use portal to encrypt content

---

Warning

Azure Media Services will be retired June 30th, 2024. For more information, see the AMS Retirement Guide.

Use Azure Media Services to help secure your media from the time it leaves your computer all the way through storage, processing, and delivery. With Media Services, you can deliver your live and on-demand content encrypted dynamically with Advanced Encryption Standard (AES-128) or any of the three major digital rights management (DRM) systems: Microsoft PlayReady, Google Widevine, and Apple FairPlay. FairPlay Streaming is an Apple technology that is only available for video transferred over HTTP Live Streaming (HLS) on iOS devices, in Apple TV, and in Safari on macOS. Media Services also provides a service for delivering AES keys and DRM (PlayReady, Widevine, and FairPlay) licenses to authorized clients.

To specify encryption options (if any) on your stream, you use a streaming policy and associate it with your streaming locator. You create the content key policy to configure how the content key (that provides secure access to your assets) is delivered to end clients. You need to set the requirements (restrictions) on the content key policy that must be met in order for keys with the specified configuration to be delivered to clients.

Note

The content key policy is not needed for clear streaming or downloading.

When a stream is requested by a player, Media Services uses the specified key to dynamically encrypt your content by using AES clear key or DRM encryption. To decrypt the stream, the player requests the key from Media Services key delivery service or the key delivery service you specified. To decide if the user is authorized to get the key, the service evaluates the content key policy that you specified for the key.

This quickstart shows you how to create a content key policy where you specify what encryption should be applied to your asset when it is streamed. The quickstart also shows how to set the configured encryption on your asset.

Suggested pre-reading

• Dynamic encryption and key delivery
• Streaming locators
• Streaming policies
• Content key policies

Create a content key policy

Create the content key policy to configure how the content key (that provides secure access to your assets) is delivered to end clients.

1. Sign in at the Azure portal.
2. Navigate to the Media Services account you want to work with.
3. Select Content key policies.
4. Select + Add content key policy. The Create a content key policy window appears.
5. Choose encryption options. You can choose to protect your media by choosing digital rights management (DRM), the advanced encryption standard (AES), or both.
6. Whether you choose one of the DRM options or an AES-128 clear key option, you will be asked to specify how you want to configure restrictions. You can choose to have an open or token restriction. For detailed explanation, see Controlling content access.

Add a DRM content key

You can choose to protect your content with Microsoft PlayReady and/or Google Widevine, or Apple FairPlay. Each license delivery type will verify the content keys based on your credentials in an encrypted format.

License templates

For details about license templates, see:

• Google Widevine license template

  Note

  You can create an empty license template with no values, just "{}." Then a license template is created with defaults. The default works for most cases.

• Apple FairPlay license requirements and configuration

• PlayReady license template

Add the AES clear key

You can also add an AES-128 clear key encryption to your content. The content key is transmitted to the client in an unencrypted format.

Create a streaming locator for your asset

1. Navigate to the Media Services account you want to work with.
2. Select Assets.
3. From the list of assets, select the one you want to encrypt.
4. In the Streaming locators section for the selected asset, select + New streaming locator. The Add streaming locator screen will appear.
5. Select a streaming policy that is appropriate for the content key policy that you configured.
6. Once you select the appropriate streaming policy, you can select the content key policy from the drop-down list. For example, to be able to use an AES ClearKey policy, you must select Predefined_ClearKey from the Streaming policy dropdown list.
7. Select Add to add the streaming locator to your asset. This publishes the asset and generates the streaming URLs.

Cleanup resources

If you intend to try the other quickstarts, you should hold on to the resources created. Otherwise, go to the Azure portal, browse to your resource groups, select the resource group under which you ran this quickstart, and delete all the resources.

Security considerations for closed captions, subtitles, and timed-metadata delivery

The dynamic encryption and DRM features of Azure Media Services has limits to consider when attempting to secure content delivery that includes live transcriptions, captions, subtitles, or timed-metadata. The DRM subsystems, including PlayReady, FairPlay, and Widevine do not support the encryption and licensing of text tracks. The lack of DRM encryption for text tracks limits your ability to secure the contents of live transcriptions, manual inserted captions, uploaded subtitles, or timed-metadata signals that may be inserted as separate tracks.

To secure your captions, subtitles, or timed-metadata tracks, follow these guidelines:

1. Use AES-128 Clear Key encryption. When enabling AES-128 clear key encryption, the text tracks can be configured to be encrypted using a full "envelope" encryption technique that follows the same encryption pattern as the audio and video segments. These segments can then be decrypted by a client application after requesting the decryption key from the Media Services Key Delivery service using an authenticated JWT token. This method is supported by the Azure Media Player, but may not be supported on all devices and can require some client-side development work to make sure it succeeds on all platforms.
2. Use CDN token authentication to protect the text (subtitle, captions, metadata) tracks being delivered with short form tokenized URLs that are restricted to geo, IP, or other configurable settings in the CDN portal. Enable the CDN security features using Verizon Premium CDN or other 3rd-party CDN configured to connect to your Media Services streaming endpoints.

Warning

If you do not follow one of the guidelines above, your subtitles, captions, or timed-metadata text will be accessible as un-encrypted content that could be intercepted or shared outside of your intended client delivery path. This can result in leaked information. If you are concerned about the contents of the captions or subtitles being leaked in a secure delivery scenario, reach out to the Media Services support team for more information on the above guidelines for securing your content delivery.

Get help and support

You can contact Media Services with questions or follow our updates by one of the following methods:

• Q & A
• Stack Overflow. Tag questions with azure-media-services.
• @MSFTAzureMedia or use @AzureSupport to request support.
• Open a support ticket through the Azure portal.