AES-128 Video Encryption — How HLS Segment Encryption Works

AES-128 Video Encryption

AES-128 (Advanced Encryption Standard with a 128-bit key) is a symmetric block cipher standardized by NIST in 2001. It’s used by online banking, government communications, and most streaming platforms for protecting video content.

In HLS, AES-128 is applied at the segment level: each segment file is encrypted with a key, and the player decrypts on the fly during playback.

How HLS uses AES-128

The HLS spec defines two encryption modes:

  • AES-128 — segment-level encryption, key delivered separately via HTTP. Most common.
  • SAMPLE-AES — sample-level encryption (encrypts video frames inside the segment). Used with FairPlay DRM.

For “encrypted video hosting” pages — courses, gated content, paid memberships — AES-128 segment-level is the standard.

Key delivery

The encryption key is a 16-byte random value. The HLS playlist tells the player where to fetch the key:

#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/key/123",IV=0x1234...

The player fetches the key via HTTP (typically with auth credentials), decrypts segments in memory, and feeds them to the video element.

Single-key vs multi-key

Single-key: one video, one key, one URL. Simple. If the URL is captured, the entire video is decryptable.

Multi-key (AVCaption): one video, many keys (one per batch of segments). Each key is fetched via a separate signed URL. If a single key URL is captured, only that batch (~60 seconds) is exposed. Full-video extraction requires capturing every key URL, which combined with rate limiting and signed token expiration, raises the cost of automated piracy substantially.

AES-128 vs DRM

AES-128 with key delivery is sometimes called “DRM-lite” (informal industry term — strictly it’s transport encryption, not rights management). True DRM (Widevine, PlayReady, FairPlay) adds:

  • Hardware-bound decryption (TEE, Secure Enclave)
  • License servers that enforce per-device, per-time-window playback rights
  • Output protection (HDCP) that blocks captured screen output

DRM is required for studio-licensed content (theatrical films, premium broadcast series, contract-mandated rights deals). For self-produced content (courses, tutorials, B2B training, paid memberships), the standard tradeoff is AES-128 multi-key plus signed URLs plus a per-viewer watermark — meaningfully cheaper, comparable practical resistance, easier to ship. The fuller decision matrix is in AES-128 vs DRM for online courses.

Browser support

Native HLS playback (Safari) supports AES-128 out of the box. HLS.js (Chrome/Firefox/Edge) decrypts in JavaScript via the Web Crypto API. Both work on iOS, Android, and desktop without plugins.

← content.back_to_index