Video DRM, Widevine and PlayReady

Digital Rights Management (DRM) is the technology used by services like Netflix to protect their content. Each video is divided into segments which are packaged and encrypted. When someone loads such a video, the player requests a licence to play the video. If the request is accepted, the licence includes the data needed to decrypt it.

If DRM has been enabled for your account, the encryption happens seamlessly and automatically as part of the transcoding/processing stage.

Packaging & encryption

The first step is to package the video using DASH. Within that process, when using DRM the generated audio and video segments are encrypted using a common standard encryption/key mapping called CENC (Common Encryption Scheme). Prior to that, a separate copy would be needed for each DRM system. CENC means that a single copy of your content can be made - and that same copy can be decrypted using different licensing systems. For example Google supports the Widevine Modular system, and so that is the licence needed to decrypt the content when watched in their Chrome browser. However Microsoft supports the PlayReady system, and so that is the licence needed to decrypt the content when watched in their browsers (such as Edge or Internet Explorer).

Optionally we can also create a HLSe version of your video. The reason for creating this additional format is to support Apple iOS and the Safari browser. Apple’s browsers do not support either Widevine or PlayReady. Apple instead support their own system, FairPlay, in their desktop browser Safari - however that only works within apps on iOS. So if a video were to be played within a browser (by a viewer visiting your site on their phone) it would not play if it required a Widevine or PlayReady licence. Therefore the only way to make a video work within an iOS browser is to use their own encrypted version of HLS (their adpative streaming format), called HLSe (sometimes known as AES-128). The disadvantage of HLSe - and the reason why we make it optional - is that it is not as secure as “true” DRM. That is because the encryption key needed to decrypt the content is made available - unlike with true DRM, where it is not. That means it would be possible for someone to decrypt the segments outside of the player. So HLSe/AES-128 is a kind of middle-ground - not as good as DRM, but a compromise if you need your encrypted content to be viewable on iOS browsers too.

Licensing & decryption

The separate audio and video segments (usually five to ten seconds each) generated as part of the DASH packaging can not be played by themselves. Each is encrypted with a secret key. So in order to play them, when the player loads, it automatically requests a licence to decrypt the content. The licence depends on the browser being used. For example if the video is being watched in Chrome, a Widevine Modular licence will be requested by the player since that is the supported system. Upon receiving the licence, the player is able to decrypt the files internally, and so the viewer is able to watch the video. Therefore using DRM can add a small delay when loading the player, as that additional step of generating the licence needs to be done.

Supported browsers

We support the major desktop browsers since we support Widevine Modular, PlayReady and (optionally) HLSe for Safari/iOS support.

ChromeDASHWidevine Modular
FirefoxDASHWidevine Modular
IE 11+DASHPlayReady
OperaDASHWidevine Modular

Using DRM incurs licence fees from the licence providers. Note that HLSe does not incur a licence fee because the encryption key is not stored externally as part of a licence.

The cost of buying licences varies: if you would like to enable DRM, please get in touch and let us know your budget.

We have covered the basics of DRM, but if you have any other questions please contact us at [email protected]. We also have a help section for our professional video hosting that we will be adding some articles to.

Updated: October 25, 2016