You asked, and we delivered! Many of our customers specifically requested Content Encryption Key (CEK) Encryption support for AWS Elemental MediaPackage v2 to ensure that license keys are not derived from compromised CEKs. Unfortunately, this is a considerable issue with many if not all of the encoder, servers and packaging solutions in the marketplace. There is no industry standard for how these platforms manage the secure storage and control of CEKs.
This new capability that BuyDRM innovated, allows AWS Elemental MediaPackage v2 Live to exchange encrypted СEKs with the KeyOS MultiKey platform over SPEKE, adding an extra layer of protection without changing your existing live streaming architecture.
After our CEO, Christopher Levy, met the Elemental Founder Sam Blackmon in 2011 we started developing prototypes of CEK APIs with Elemental. BuyDRM then integrated our KeyOS Platform with AWS Elemental in 2017 after Amazon acquired Elemental in 2015
What’s New
BuyDRM has long supported CEK encryption across all of our encryption key APIs. Building on this experience, we led an exercise to design and validate the model for enabling Content Key Encryption in AWS Elemental MediaPackage v2 Live. BuyDRM provided a model of how to implement this functionality, innovations around how to do it within SPEKE, improvements to the encryption of the keys.
This means AWS Elemental MediaPackage v2 can now encrypt the CEKs it exchanges with the KeyOS platform, using certificate-based protection over SPEKE, while continuing to use those keys to encrypt your live streams in real time. This alone increases the security of the downstream license keys immensely removing one of the most common points of failure, compromised CEKs.
Why CEK Encryption Matters
In a typical DRM workflow, CEKs are the most sensitive part of the chain: they are the secrets that ultimately control access to your content as the playback license key is derived from the CEK. Even if the video is transmitted over secure channels, exposing CEKs in plain form between services increases the potential impact of any interception, misconfiguration, or logging mistake.
By encrypting CEKs inside the SPEKE exchange between AWS Elemental MediaPackage v2 and the KeyOS platform, you add an extra layer of protection specifically around these keys. This reduces the risk that a compromised integration point, debug trace, or network capture could be used to recover keys and decrypt your live content outside of your control.
How to start using it
Enabling Content Key Encryption for AWS Elemental MediaPackage v2 involves a few straightforward steps on both the BuyDRM and AWS sides:
1. Generate a certificate
Create an X.509 certificate and private key that will be used to protect content keys in transit. For example:
openssl req -x509 -newkey rsa:2048 -sha512 -keyout private_key.pem -out public_cert.pem -nodes -days 1461 -subj "/C=YOURCOUNTRY/O=YOURCOMPANYNAME/CN=YOURDOMAIN"
Note: please make sure to format CN as a valid domain, starting with www. For example: www.licensekeyserver.com.
2. Register the certificate with BuyDRM
Open a ticket with BuyDRM support in the KeyOS Console and use our secure data upload tool to attach the public certificate you plan to use for AWS Elemental MediaPackage. Our team will then securely register it in your KeyOS configuration so that Content Keys can be encrypted for this certificate. This controlled chain of custody provides maximum security around the CEK and therefore the license keys you deliver.
3. Import the certificate into AWS Certificate Manager (ACM)
In your AWS account, securely import the same certificate into the AWS Certificate Manager in the Region where AWS Elemental MediaPackage v2 is running. This allows AWS Elemental MediaPackage to securely retrieve the certificate and use it to decrypt CEKs received from KeyOS Content Encryption Key API.
4. Reference the certificate in your AWS Elemental MediaPackage v2 Live endpoint
In the SPEKE encryption settings for your AWS Elemental MediaPackage v2 Live origin endpoint, specify the ARN of the certificate from ACM. Once this ARN is configured, AWS Elemental MediaPackage will use the certificate in its SPEKE interactions and expect encrypted CEKs in response to encrypt your live streaming video.
After these steps, your live streams continue to be protected by the KeyOS MultiKey services as before, but the CEKs exchanged between AWS Elemental MediaPackage and the KeyOS platform are now encrypted end-to-end using your certificate.
Closing
For customers running high value live content on AWS, this feature adds a focused security improvement in exactly the place where it matters most—the keys that lock and unlock your streams. If you’d like help enabling CEK Encryption in your existing AWS Elemental MediaPackage workflow, our team can work with you and your development ops team to validate the setup and ensure everything is configured correctly.
