AES (Advanced Encryption Standard) provides a straightforward method of protecting your media content. In the RMS Console, AES is implemented through content key policies and JWT (JSON Web Tokens).
This guide focuses on AES implementation after you've already uploaded and processed your media for publishing.
In this article:
Apply content key policies for AES
Why encrypt media
Media encryption works alongside streaming locator creation. Your assets must be processed before applying encryption. The RMS Console lets you:
- Create encrypted streaming locators in one workflow
- Test encryption settings with auto-generated JWTs
- Validate security immediately with the built-in player
Before you begin
- Process your media: RMS Console: Process media
- Explore the basic process of creating streaming locators: RMS Console: Publish Media
Apply content key policies for AES
AES encryption in the RMS Console protects media content using content key policies and JWT. In the RMS Console, you choose the streaming policy and content key policy. Based on these settings, the system generates JWTs and delivers encrypted HLS streams. This allows testing of playback behavior limited to authorized viewers.
To apply content key policies:
1. Navigate to the RMS Console > Assets and select an output asset with processed media.
2. Create a streaming locator.
3. From the dropdown list, select a Predefined_ClearKey streaming policy.
4. Select a compatible сontent key policy for AES.
The ability to add your custom content key policies via the RMS Console will be available soon.
There are no сontent key policies in the RMS Console by default. Learn how to add them to your account.
5. Click Add.
Manage JWT
After you create a streaming locator with an encryption policy, a JWT is automatically generated.
The RMS Console functions as both a testing and management tool for encrypted media workflows.
JWT considerations:
- The RMS Console automatically generates JWTs valid for 1 hour since the page loads.
- These auto-generated JWTs allow the testing of encrypted content.
- The JWT token field is editable: paste and test externally generated JWTs to validate custom authorization scenarios.
Verify encrypted playback
The HLS playback link is available when selecting Show URLs.
Use the links with the generated JWTs in any demo player, or use the built-in RMS Console Player to test playback with the current JWT.
Verify that playback fails without a valid JWT:
1. Modify the JWT Token value.
2. Click Refresh player.
3. Ensure no media is played.
If playback fails without a JWT but succeeds with the autogenerated one, your encryption setup is verified.
Troubleshooting
Encountering issues with encrypted media playback? Here are common problems and their solutions to quickly restore your content delivery:
Missing JWT
Confirm you've applied the correct AES-specific content key policy. If you’ve used a DRM-specific policy, the JWT will not appear.
Playback error
If you've replaced the auto-generated JWT with your externally generated JWT and are experiencing playback issues, verify that your custom JWT:
Has not expired
- Contains the correct claims and permissions
- Was generated for the selected locator
- Is properly formatted according to JWT standards
Contact us
If you've exhausted these troubleshooting steps and still cannot resolve the issue, contact Ravnur.