Using Raw Key¶
Shaka Packager supports raw keys, for which keys and key_ids are provided to Shaka Packager directly.
This is often used if you are managing the encryption keys yourself. It also allows you to support multi-DRM by providing custom PSSHs.
Synopsis¶
$ packager <stream_descriptor> ... \
--enable_raw_key_encryption \
--keys <key_info_string>[,<key_info_string>]... \
[--pssh <concatenated_PSSHs>] \
[Other options, e.g. DASH options, HLS options]
key_info_string is of the form:
label=<label>:key_id=<key_id>:key=<key>
Custom PSSH(s) can be provided in –pssh. If neither –pssh nor –protection_systems is specified, v1 common PSSH box is generated.
Examples¶
The examples below use the H264 streams created in Media Encoding.
Example with pre-generated PSSH:
$ packager \ in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4,drm_label=AUDIO \ in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4,drm_label=SD \ in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4,drm_label=SD \ in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4,drm_label=HD \ in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4,drm_label=HD \ --enable_raw_key_encryption \ --keys label=AUDIO:key_id=f3c5e0361e6654b28f8049c778b23946:key=a4631a153a443df9eed0593043db7519,label=SD:key_id=abba271e8bcf552bbd2e86a434a9a5d9:key=69eaa802a6763af979e8d1940fb88392,label=HD:key_id=6d76f25cb17f5e16b8eaef6bbf582d8e:key=cb541084c99731aef4fff74500c12ead \ --pssh 000000317073736800000000EDEF8BA979D64ACEA3C827DCD51D21ED00000011220F7465737420636F6E74656E74206964 \ --mpd_output h264.mpd \ --hls_master_playlist_output h264_master.m3u8
Common PSSH is generated if no PSSH or protection system flag is specified:
$ packager \ in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4,drm_label=AUDIO \ in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4,drm_label=SD \ in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4,drm_label=SD \ in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4,drm_label=HD \ in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4,drm_label=HD \ --enable_raw_key_encryption \ --keys label=AUDIO:key_id=f3c5e0361e6654b28f8049c778b23946:key=a4631a153a443df9eed0593043db7519,label=SD:key_id=abba271e8bcf552bbd2e86a434a9a5d9:key=69eaa802a6763af979e8d1940fb88392,label=HD:key_id=6d76f25cb17f5e16b8eaef6bbf582d8e:key=cb541084c99731aef4fff74500c12ead \ --mpd_output h264.mpd
Example with FairPlay using ‘cbcs’ protection scheme:
$ packager \ in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4,drm_label=AUDIO \ in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4,drm_label=SD \ in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4,drm_label=SD \ in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4,drm_label=HD \ in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4,drm_label=HD \ --protection_scheme cbcs \ --enable_raw_key_encryption \ --keys label=AUDIO:key_id=f3c5e0361e6654b28f8049c778b23946:key=a4631a153a443df9eed0593043db7519,label=SD:key_id=abba271e8bcf552bbd2e86a434a9a5d9:key=69eaa802a6763af979e8d1940fb88392,label=HD:key_id=6d76f25cb17f5e16b8eaef6bbf582d8e:key=cb541084c99731aef4fff74500c12ead \ --protection_systems FairPlay \ --iv 11223344556677889900112233445566 --hls_master_playlist_output h264_master.m3u8 \ --hls_key_uri skd://testAssetID
Example with multi-drm (Widevine and PlayReady):
$ packager \ in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4,drm_label=AUDIO \ in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4,drm_label=SD \ in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4,drm_label=SD \ in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4,drm_label=HD \ in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4,drm_label=HD \ --enable_raw_key_encryption \ --keys label=AUDIO:key_id=f3c5e0361e6654b28f8049c778b23946:key=a4631a153a443df9eed0593043db7519,label=SD:key_id=abba271e8bcf552bbd2e86a434a9a5d9:key=69eaa802a6763af979e8d1940fb88392,label=HD:key_id=6d76f25cb17f5e16b8eaef6bbf582d8e:key=cb541084c99731aef4fff74500c12ead \ --protection_systems Widevine,PlayReady \ --mpd_output h264.mpd
Note
Users are responsible for setting up the license servers and managing keys there unless they are using a cloud service provided by the DRM provider or third_parties.
Refer to player setup on how to config the DRM in Shaka Player.
Test vectors used in this tutorial¶
- Key ID
- SD: abba271e8bcf552bbd2e86a434a9a5d9HD: 6d76f25cb17f5e16b8eaef6bbf582d8eAUDIO: f3c5e0361e6654b28f8049c778b23946
Key ID must be 16 bytes or 32 digits in HEX.
- Key
- SD: 69eaa802a6763af979e8d1940fb88392HD: cb541084c99731aef4fff74500c12eadAUDIO: a4631a153a443df9eed0593043db7519
Key must be 16 bytes or 32 digits in HEX.
- Widevine PSSH
000000317073736800000000EDEF8BA979D64ACEA3C827DCD51D21ED00000011220F7465737420636F6E74656E74206964
The PSSH is generated using pssh-box script:
$ pssh-box.py --widevine-system-id \ --content-id 7465737420636f6e74656e74206964 --hex
Configuration options¶
General encryption options¶
- --protection_scheme <scheme>
Specify a protection scheme, ‘cenc’ or ‘cbc1’ or pattern-based protection schemes ‘cens’ or ‘cbcs’.
- --vp9_subsample_encryption, --novp9_subsample_encryption
Enable / disable VP9 subsample encryption. Enabled by default.
- --clear_lead <seconds>
Clear lead in seconds if encryption is enabled. Shaka Packager does not support partial encrypted segments, all the segments including the partial segment overlapping with the initial ‘clear_lead’ seconds are not encrypted, with all the following segments encrypted. If segment_duration is greater than ‘clear_lead’, then only the first segment is not encrypted. Default: 5
- --protection_systems
Protection systems to be generated. Supported protection systems include Widevine, PlayReady, FairPlay, Marlin, and CommonSystem (https://goo.gl/s8RIhr).
Raw key encryption options¶
- --enable_raw_key_encryption
Enable encryption with raw key (keys provided in command line)). This generates Common protection system if neither –pssh nor –protection_systems is specified. Use –pssh to provide custom protection systems or use –protection_systems to generate protection systems automatically.
- --enable_raw_key_decryption
Enable decryption with raw key (keys provided in command line).
- --keys <key_info_string[,key_info_string][,key_info_string]…>
key_info_string is of the form:
label=<label>:key_id=<key_id>:key=<key>
label can be an arbitrary string or a predefined DRM label like AUDIO, SD, HD, etc. Label with an empty string indicates the default key and key_id. The drm_label in Stream descriptors, which can be implicit, determines which key info is applied to the stream by matching the drm_label with the label in key info.
key_id and key should be 32-digit hex strings.
- --iv <16-digit or 32-digit hex string>
IV in hex string format. If not specified, a random IV will be generated. This flag should only be used for testing. IV must be either 8 bytes (16 digits HEX) or 16 bytes (32 digits in HEX).
- --pssh <hex string>
One or more concatenated PSSH boxes in hex string format. If neither this flag nor –protection_systems is specified, a v1 common PSSH box will be generated.
pssh-box (Utility to generate PSSH boxes)¶
https://github.com/google/shaka-packager/tree/master/packager/tools/pssh