A guide to statically packaging and encrypting CMAF content for us by DASH and HLS.

A guide to statically packaging and encrypting CMAF content for us by DASH and HLS.


AUTHOR: Sam-Perriton-Branch

(VUALTO Software Developer)

In 2016 Apple and Microsoft proposed a standard to MPEG; it involved a standardized transport container for use with the MPEG-dash and HLS streaming protocol. The aim was to align the video containers in order to simplify video streaming workflows and therefore reduce latency and costs.

The number of devices that added support for the Common Application Media Format (CMAF) increased over the next couple of years however, the problem still remained of playing encrypted content using CMAF. The problem was, that Apple (Fairplay) used the CBC encryption mode whereas Microsoft (PlayReady) and Google (Widevine) used CTR.
This meant still delivering two sets of content, one encrypted using CBC and another using CTR.

In 2018, Microsoft and Google announced they would be adding support for CBCS encryption mode, also supported by Fairplay. They released updates to their server SDKs and it is now possible to create a CMAF stream encrypted with CBCS for playout via MPEG-dash or HLS.

Due to the fact you only have to create and store one set of video fragments, you should see massive improvements all of the way through the video workflow.

  • Encoders will not have to work as hard.
  • The DRM becomes simpler to implement and closer to “true” CENC.
  • Less storage is required and it becomes more efficient at the CDN level.
  • If you are still pre-fragmenting your streams, your storage costs are halved.

The following guide will show you how to create your DRM encrypted CMAF content.

You will need 4 things:

  1. Some unencrypted content
  2. ‘Mp4split’
  3. A CPIX document
  4. A good reason to not be using JIT packaging

Here is an example of a simple VUDRM CPIX document that could be used to encrypt your content. It’s worth noting, that for this to work the keys in the CPIX document must use CBCS instead of CENC.

The main difference between these two types of encryption is how the IV is used throughout the encryption process, with CBCS using it in the initial block encryption and CENC using it for every block’s encryption. CMAF has support for both CENC and CBCS encryption keys but if you want to use HLS, you have to use CBCS keys. This is the only encryption scheme supported by Apple.

We first need to package our content into CMAF files and add some DRM information. This is much easier than it sounds and can be done with the following commands.

Now that we have our CMAF files, we simply need to create our DASH manifest and our HLS playlists.

We’ll start with the DASH manifest as this can be done with the single following commands.

To create your HLS master playlist, we first need to create media playlists from our CMAF files, which can be done with the following commands.

Now you have your media playlists we can combine these to create a master playlist. This is as simple as running the following command.

And there we have it!

You can now stream your encrypted content as either DASH or HLS using the same statically packaged files.

VUDRM – Making your Content Protection Easy

AUTHOR: Sam-Perriton-Branch (VUALTO Software Developer)