Security. AES-128 encryption for VOD

What is AES-128
How AES-128 works with VOD
Configure AES-128

What is AES-128

AES-128 (Advanced Encryption Standard) is a block encryption algorithm based on several substitutions and permutations of data in blocks of 16 bytes. The key length of this encryption type is 128 bits.

Encryption is suitable when you need to allow certain viewers access to content, for example, by subscription, which is available only for those who paid for it.

AES-128 is an encryption standard for high-security systems, so it is difficult to intercept and decrypt keys.

You can use AES-128 encryption for maximum protection and configure country or domain access policy. 

How AES-128 works with VOD

We deliver the video via HLS protocol. The video is divided into playlists consisting of fragments (chunks).

Video fragments are transmitted in encrypted form using the AES-128 algorithm. The video decryption key for viewers is transmitted in a separate request.

The process of getting the decryption key:

  1. The request to view the video is sent to your server.
  2. It is analyzed for the presence of cookies and other session parameters.
  3. If the request does not contain certain parameters, access to the video is forbidden.
  4. If the request contains certain parameters, the server sends a GET request to the Gcore API to get the key.
  5. The Gcore API provides the key to the server.
  6. The server sends the key to the viewer, and access to the video is provided.

Configure AES-128 

Settings on the Streaming platform

To enable the ability to send video using AES-128 encryption, contact technical support by email at or in the chat.

After the encryption is enabled, the _s_ characters will be added to the M3U8 video URL:

Please, note! After the encryption is enabled, the request to view the video and receive the decryption key is sent to the Streaming servers.

There are no settings on the Streaming servers that allow us to understand what principle allows or prohibits access to a video to a specific viewer; access will be provided to all viewers. 

To avoid this, configure your server according to the instructions below.

Settings on your server

To redirect and process requests on the decryption key, configure the server.

1. Create an API that will receive a request on the decryption key.

If you need help with server API creation, please, write to us at or in the chat.

2. Create a domain to which the viewer will be redirected to verify and receive the key.

The domain should be inserted into the link after the _s_ characters as follows:

3. In case of successful request validation, the server should send a GET request to the Gcore API to get the decryption key:



4. After receiving the key, the server should pass it to the viewer in the unchanged format.

Example of a key: 


To pass the key in this format, these headers may be useful:

  • content-transfer-encoding: binary
  • content-type: application/octet-stream
Was this article helpful?
Recently viewed articles