This How to article describes creating a content key policy for AES (Advanced Encryption Standard) or Digital Rights Management (DRM) with JWT (JSON Web Token) restrictions and implementing it in the RMS Console.
Content key policies set encryption rules and control who can access your protected media.
Add your custom content key policies via the RMS Console using the Content Key Policies tab as an alternative to the API method described on this page.
In this article:
Step 1: Prepare the request body
Step 2: Submit the API request
Step 3: Use the created policy
You can publish media encrypted with AES-128 or any of the three major DRM systems: Microsoft PlayReady, Google Widevine, and Apple FairPlay. Ravnur Media Services also provides a service for delivering AES keys and DRM (PlayReady, Widevine, and FairPlay) licenses to authorized clients.
To specify encryption options on your stream:
1. Select asset: Choose a processed media asset that you want to protect. This asset contains the media content that will be encrypted and streamed.
2. Create streaming locator: Create a streaming locator to securely publish the asset. This step makes the media accessible for playback via a streaming endpoint.
3. Choose streaming policy: Select a streaming policy to define how the media should be packaged and encrypted - for example, using AES or DRM.
4. Link content key policy: Manually associate a content key policy with the locator. This policy will issue the decryption key or license when the client presents a valid token, giving you control over access and protection rules.
Before you begin
1. Before creating the policy, go to RMS Console > API Key Management tab and locate the following:
-
AZURE_SUBSCRIPTION_ID -
AZURE_RESOURCE_GROUP -
RAVNUR_MEDIA_SERVICES_ACCOUNT_NAME
2. Decide on a name for your content key policy. Example:my-aes-jwt-policy.
3. Obtain an access token with permissions to manage content key policies. Include the token in theAuthorizationheader of API requests. For details on how to retrieve the token, see the RMS API authentication.
Step 1: Prepare the request body
Content key policy for AES
Example JSON request body for AES policy with JWT restriction:
{
"properties": {
"description": "AES encryption with JWT restriction",
"options": [
{
"name": "my-aes-jwt-policy",
"configuration": {
"@odata.type": "#Microsoft.Media.ContentKeyPolicyClearKeyConfiguration"
},
"restriction": {
"@odata.type": "#Microsoft.Media.ContentKeyPolicyTokenRestriction",
"restrictionTokenType": "Jwt",
"issuer": "your-issuer-name",
"audience": "your-audience-name",
"primaryVerificationKey": {
"@odata.type": "#Microsoft.Media.ContentKeyPolicySymmetricTokenKey",
"keyValue": "your-base64-encoded-secret-key"
},
"alternateVerificationKeys": [],
"requiredClaims": [
{
"claimType": "your-claim-type",
"claimValue": "your-claim-value"
}
]
}
}
]
}
}
The
policyId,created,lastModified, andsystemDatafields do not need to be included when creating the policy. These fields are generated automatically.
Parameters overview
There are 3 different @odata.type values in the request body:
-
"#Microsoft.Media.ContentKeyPolicyClearKeyConfiguration"- specifies that you're using AES Clear Key encryption for your content. Clear Key is a standardized encryption mechanism that provides basic content protection. -
Restriction Type:
"@odata.type":"#Microsoft.Media.ContentKeyPolicyTokenRestriction"- indicates you're using token-based restrictions to control access to the encrypted content. The system will validate tokens before allowing access to decryption keys. -
Key Type:
"@odata.type":"#Microsoft.Media.ContentKeyPolicySymmetricTokenKey"- specifies that a symmetric key will be used for JWT validation. Symmetric keys use the same secret for both signing and verification.
There are also JWT authentication parameters:
-
claimType- defines the type of claim that must be present in valid JWT. Example value:"env" -
claimValue- value for the specified claim type. Example: for"claimType":"env",claimValuemight be"local". -
restrictionTokenType- use value"Jwt"to specify JSON Web as the token format for authentication, which is an industry (and RMS Console) standard to pass data. -
issuer- identifies who created and signed the JWT. Example:"your-company-name". -
audience- specifies who the JWT is intended for. Helps ensure tokens created for one service can't be used for another. Example:"ravnur". -
keyValue- a Base64-encoded string representing the secret key used to verify JWT signatures. Must be encoded to Base64 to ensure correct JWT validation. Keys shorter than 256 bits (such as 128-bit keys) are not recommended.
Content key policy for DRM
The configuration process varies depending on which DRM system(s) you need to support.
RMS Console supports 3 DRM implementation approaches:
1. Widevine DRM - Google's DRM system, supported on Android, Chrome, and various smart TVs.
2. FairPlay DRM - Apple's DRM system, supported on iOS, iPadOS, macOS, and tvOS.
3. PlayReady DRM - Windows' DRM system, supported on Edge.
Known limitations:
- FairPlay is only supported for video delivered via HTTP Live Streaming (HLS).
- When selecting
Predefined_MultiDrmCencStreamingas your streaming policy, the FairPlay tab will not appear. FairPlay requires CBCS (Cipher Block Chaining with Subsample Encryption), while this policy uses CENC (Common Encryption). UsePredefined_MultiDrmStreamingtogether with a content key policy that supports all DRM technologies to enable FairPlay.
To find the request body samples, navigate to step 2 of the DRM configuration guide.
DRM Considerations
- Each DRM system requires specific configuration parameters.
- The use of the content key policy of the Universal DRM approach will result in 3 tabs: Widevine, PlayReady, and FairPlay in the RMS Console.
- Select a compatible streaming policy when creating a locator
- AES content key policy for
Predefined_ClearKey. - DRM content key policy for
Predefined_MultiDrmCencStreamingorPredefined_MultiDrmStreaming.
- AES content key policy for
Step 2: Submit the API request
Using the API endpoint:
PUT https://{apiEndpoint}.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Media/mediaServices/{accountName}/contentKeyPolicies/{contentKeyPolicyName}?api-version={api-version}Replace the path parameters with your specific values:
-
{apiEndpoint}: RMS domain that you can find in Azure Front Door using this guide. -
{subscriptionId}: YourAZURE_SUBSCRIPTION_IDfrom the RMS Console. -
{resourceGroupName}: YourAZURE_RESOURCE_GROUPfrom the RMS Console. -
{accountName}: YourRAVNUR_MEDIA_SERVICES_ACCOUNT_NAMEfrom the RMS Console. -
{contentKeyPolicyName}: Your desired policy name. -
{api-version}: The API version to use. Example:2021-06-01.
Request headers:
-
Content-Type: application/json. -
Authorization: Bearer {your-access-token}(obtained through the RMS API authentication).
Example request:
PUT https://{apiEndpoint}.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mrg-mygroup/providers/Microsoft.Media/mediaServices/default/contentKeyPolicies/my-aes-jwt-policy?api-version=2021-06-01Ensure that the JSON body is included in step 1.
Step 3: Use the created policy
After creating the policy, verify and use it directly in the RMS Console:
1. Navigate to the RMS Console > Assets and select an output asset with processed media.
2. Create a streaming locator.
3. From the dropdown list, select a streaming policy that supports encryption.
4. From the dropdown list, select a newly created content key policy (this should now appear in the list).
5. Click Add.
The RMS Console automatically generates JWTs valid for 1 hour for testing encrypted content, see Manage JWT.
You created a content key policy that secures your media content with encryption and JWT-based access control.