Dynamic Encryption vs. Static Encryption with Azure Media Services

In Azure Media Services, there are two ways to encrypt your content regardless you are applying common encryption (PlayReady) or envelope encryption (AES) onto your content: dynamic encryption or static encryption. This blog will explain to you the difference and when to use which.

Dynamic Encryption:

This is what we always recommend. Once you encode your file into multi-bitrate Mp4, you could configure the file to be encrypted by defining Content Key, Content Key authorization policy and asset delivery policy. The file is stored in clear in the storage, of course, you could put storage encryption on the container, which is optional. After configuration, our streaming server will apply sample level encryption on your media file on the fly. For example, if you configure AES dynamic encryption for HLS streaming protocol, our streaming server will encrypt your file on the fly with AES envelope encryption and deliver through HLS. Below is a diagram to show you how dynamic encryption works in Azure Media Services:

Architecture - Dynamic Encryption

Architecture – Dynamic Encryption


The benefits of using dynamic encryption are:

  • • Save on the storage cost:
  • If you need to apply different encryption onto different streaming protocol ( such as AES for HLS, and PlayReady for Smooth Streaming), you only need to save your media file once, and encrypt it differently on the fly.
  • • Lower cost if you want to change the content key
  • If you pre-encrypt the file and want to change the content key, you need to re-encrypt your media file, which could be time-consuming and costly. With dynamic encryption, you could change your key anytime, and the streaming server will pick up the new key and encrypt it. Moreover, if you want to change your content into clear format one day, you just need to remove the encryption configuration and the file will be served in clear.

Here are some documentations if you want to check more about using PlayReady/AES dynamic encryption:

Static Encryption:

This feature allows you to encrypt your media file with either AES 128 key or PlayReady license statically, and the encrypted file will be stored in the storage. Our streaming server will deliver the encrypted bits when your player requests. Here, if you want to use static encryption with Azure Media Services Encryptor, the input file format has to be Smooth Streaming.

There are also advantages and disadvantages to use static encryption:

As a summary, we see it as a trend to apply encryption on the fly. However, different business has different circumstances. It is always good to evaluate based on your own need.

2 Responses to Dynamic Encryption vs. Static Encryption with Azure Media Services
  1. […] Please read this blog for further information: http://mingfeiy.com/dynamic-encryption-vs-static-encr... mingfeiy.com/qa-aes-playready-service
  2. […]  You can read more about difference between dynamic and static encryption in Mingfei Yan post Dyna... gtrifonov.com/2015/01/03/jwt-token-authentication-in-azure-media-services-and-dynamic-encryption

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.