Question/Issue
I would like to understand how the AES-128 encryption key used for DRM packaging is generated and managed.
Short Description
By default, the encryption key is generated by the DoveRunner key server at the request of the packager (DoveRunner CLI packager or a third-party packager) and then delivered to the packager for use in content encryption.
For security purposes, the generated key is stored in encrypted form in the database of the DoveRunner key server, and is included in the license data delivered to the client during DRM content playback.
If you want to manage content encryption keys directly rather than delegating key management to the DoveRunner key server, content packaging and license integration must be handled using the external key integration method described below.
Content packaging and license issuance using external keys
-
Content packaging using external keys
- When using the DoveRunner CLI packager, you can directly input arbitrary encryption key values by using the external key input options. (Key ID, Key pair)
- Since the entered key values are not transmitted to the DoveRunner server, you must securely store and manage the key data together with the corresponding content information (Content ID) in a separate storage so that the keys can be reused when issuing DRM licenses. -
DRM license issuance using external keys
- For content newly packaged using the external key method, or content that was already packaged by another DRM provider before adopting the DoveRunner DRM service, DRM license requests must also be processed using the external key method.
- When generating a license token, setting the external key option allows a DRM license to be issued using the specified key values.
- To use multi-DRM content packaged by a third-party DRM service without repackaging, you must request and obtain the encryption key information (Key ID, Key, IV) from that service provider.