Concept 02
AES-128 Encryption
HLS can encrypt each media segment with AES-128. The playlist itself stays readable, but the .ts segments are ciphertext. An authorized player fetches a small key file, then decrypts segments locally as it plays. This sandbox encrypts its own test clip so you can watch the whole handshake happen.
The EXT-X-KEY tag
Encryption is announced by a single tag in the media playlist. It names the cipher, where to get the key, and (optionally) the initialization vector.
#EXT-X-KEY:METHOD=AES-128,URI="/hls/enc.key",IV=0xa47b73b1...METHOD=AES-128— segments are AES-128-CBC encrypted.URI— where the player fetches the 16-byte key. Access control lives here: the server decides who gets the key.IV— the initialization vector that seeds the cipher, keeping identical segments from producing identical ciphertext.
How the browser decrypts, step by step
- 1
Read the key URI
When the player hits an
#EXT-X-KEYtag, it notes the key URI and issues a request for it. In the live log on the home page you'll see "Requesting AES-128 key". - 2
Fetch the 16-byte key
The key is just 16 random bytes served over HTTPS. On a real service this endpoint is gated by auth/session so only authorized viewers receive it.
- 3
Decrypt each segment
For every
.tssegment, the player runs AES-128-CBC using the key and the IV, turning ciphertext back into playable video — entirely in the browser. - 4
Feed the decoder
Decrypted segments are appended to the media buffer and handed to the video decoder. Nothing is written to disk.
How this stream was encrypted
These are the exact commands this project ran to produce the encrypted stream you're watching — on a self-generated clip.
# 1. Generate a random 16-byte (128-bit) key
openssl rand 16 > enc.key
# 2. Tell ffmpeg where players will fetch the key,
# which key file to encrypt with, and the IV
cat > keyinfo.txt <<EOF
/hls/enc.key # key URI written into the playlist
enc.key # local key file used to encrypt
$(openssl rand -hex 16) # initialization vector
EOF
# 3. Encrypt while segmenting
ffmpeg -i source.mp4 -hls_key_info_file keyinfo.txt \
-hls_time 4 -f hls stream.m3u8Where access control really lives
AES-128 HLS is about confidentiality in transit, not hard DRM. The real gate is the key endpoint: a legitimate service only hands the key to an authenticated, authorized viewer. Studying the mechanism is standard streaming engineering — applying it to bypass someone else's access controls is not, and this sandbox deliberately only encrypts content it generates itself.