Using PlayReady Key Server

Shaka Packager can talk to PlayReady Key Server that implements AcquirePackagingData Web Method specification to fetch encryption keys.

Refer to DRM if you are interested in generating multi-DRM contents.

Synopsis

$ packager <stream_descriptor> ... \
  --enable_playready_encryption \
  --playready_server_url <playready_server_url> \
  --program_identifier <program_identifier> \
  --client_cert_file <client_cert_file> \
  --client_cert_private_key_file <client_cert_private_key_file> \
  --client_cert_private_key_password <client_cert_private_key_password> \
  --ca_file <ca_file> \
  [Other options, e.g. DASH options, HLS options]

The –client_cert_xx and –ca_file parameters can be omitted if not required by the key server.

Configuration options

DRM related Stream descriptor fields

skip_encryption=0|1:

Optional. Defaults to 0 if not specified. If it is set to 1, no encryption of the stream will be made.

drm_label:

Optional value for custom DRM label, which defines the encryption key applied to the stream. Typically values include AUDIO, SD, HD, UHD1, UHD2. For raw key, it should be a label defined in –keys. If not provided, the DRM label is derived from stream type (video, audio), resolutions, etc. Note that it is case sensitive.

General encryption options

--protection_scheme <scheme>

Specify a protection scheme, ‘cenc’ or ‘cbc1’ or pattern-based protection schemes ‘cens’ or ‘cbcs’.

--crypt_byte_block

Specify the count of the encrypted blocks in the protection pattern, where block is of size 16-bytes.

There are three common patterns (crypt_byte_block:skip_byte_block): 1:9 (default), 5:5, 10:0.

Apply to video streams with ‘cbcs’ and ‘cens’ protection schemes only; ignored otherwise.

--skip_byte_block

Specify the count of the unencrypted blocks in the protection pattern.

Apply to video streams with ‘cbcs’ and ‘cens’ protection schemes only; ignored otherwise.

--vp9_subsample_encryption, --novp9_subsample_encryption

Enable / disable VP9 subsample encryption. Enabled by default.

--clear_lead <seconds>

Clear lead in seconds if encryption is enabled. Shaka Packager does not support partial encrypted segments, all the segments including the partial segment overlapping with the initial ‘clear_lead’ seconds are not encrypted, with all the following segments encrypted. If segment_duration is greater than ‘clear_lead’, then only the first segment is not encrypted. Default: 5

--protection_systems

Protection systems to be generated. Supported protection systems include Widevine, PlayReady, FairPlay, Marlin, and CommonSystem.

--playready_extra_header_data <string>

Extra XML data to add to PlayReady PSSH data. Can be specified even if using another key source.

PlayReady encryption options

--enable_playready_encryption

Enable encryption with PlayReady key. This generates PlayReady protection system if –protection_systems is not specified. Use –protection_system to generate multiple protection systems.

--playready_server_url <url>

PlayReady packaging server url.

--program_identifier <program_identifier>

Program identifier for packaging request.

--ca_file <file path>

Absolute path to the certificate authority file for the server cert. PEM format. Optional, depends on server configuration.

--client_cert_file <file path>

Absolute path to client certificate file. Optional, depends on server configuration.

--client_cert_private_key_file <file path>

Absolute path to the private key file. Optional, depends on server configuration.

--client_cert_private_key_password <string>

Password to the private key file. Optional, depends on server configuration.