In Azure Media Services, there are two ways to encrypt your content regardless you are applying common encryption (PlayReady) or envelope encryption (AES) onto your content: dynamic encryption or static encryption. This blog will explain to you the difference and when to use which.
This is what we always recommend. Once you encode your file into multi-bitrate Mp4, you could configure the file to be encrypted by defining Content Key, Content Key authorization policy and asset delivery policy. The file is stored in clear in the storage, of course, you could put storage encryption on the container, which is optional. After configuration, our streaming server will apply sample level encryption on your media file on the fly. For example, if you configure AES dynamic encryption for HLS streaming protocol, our streaming server will encrypt your file on the fly with AES envelope encryption and deliver through HLS. Below is a diagram to show you how dynamic encryption works in Azure Media Services:
The benefits of using dynamic encryption are:
• Save on the storage cost:
- If you need to apply different encryption onto different streaming protocol ( such as AES for HLS, and PlayReady for Smooth Streaming), you only need to save your media file once, and encrypt it differently on the fly.
• Lower cost if you want to change the content key
- If you pre-encrypt the file and want to change the content key, you need to re-encrypt your media file, which could be time-consuming and costly. With dynamic encryption, you could change your key anytime, and the streaming server will pick up the new key and encrypt it. Moreover, if you want to change your content into clear format one day, you just need to remove the encryption configuration and the file will be served in clear.
Here are some documentations if you want to check more about using PlayReady/AES dynamic encryption:
- • MSDN: Using PlayReady Dynamic Encryption and License Delivery Service
- • MSDN: Using AES-128 Dynamic Encryption and Key Delivery Service
- • Video: How to configure PlayReady license service
- • Video: How to configure AES key delivery service
This feature allows you to encrypt your media file with either AES 128 key or PlayReady license statically, and the encrypted file will be stored in the storage. Our streaming server will deliver the encrypted bits when your player requests. Here, if you want to use static encryption with Azure Media Services Encryptor, the input file format has to be Smooth Streaming.
There are also advantages and disadvantages to use static encryption:
• Good if your input file has already been encrypted
- If your files have already been encrypted on premises and you plan to only deliver the file through one specific protocol, in that case, you could just upload your encrypted file into storage and get streamed. If you want to further leverage our key delivery service, you could hand us the keys.
- Disadvantages have been specified when I talk about dynamic encryption: it is not very easy to change key, and you may waste storage if you want to encrypt your file with different encryption methods.
- Here are some documentations if you want to use static encryption with Azure Media Services:
- • MSDN: Using Static Encryption to Protect Smooth Stream and MPEG DASH with PlayReady
- • MSDN: Using Static Encryption to Protect HLSv3 with AES-128
- • MSDN: Using Static Encryption to Protect HLSv3 with PlayReady
As a summary, we see it as a trend to apply encryption on the fly. However, different business has different circumstances. It is always good to evaluate based on your own need.