Secure Packager and Encoder Key Exchange (SPEKE) is part of the AWS Elemental content encryption protection strategy for media services customers. SPEKE defines the standard for communication between AWS Media Services and digital rights management (DRM) system key servers. SPEKE is used to supply keys to encrypt video on demand (VOD) content through AWS Elemental MediaConvert and for live content through AWS Elemental MediaPackage.
Take a look at high-level SPEKE documentation available on the AWS web site.
Use the provided CloudFormation template to deploy the reference key server into your AWS account. The reference SPEKE implementation provides a key server and key distribution cache for end-to-end segment encyption with HLS and DASH. Use it as an example and starting point when implementing a complete DRM solution with SPEKE.
The CloudFormation template creates an API Gateway, Lambda function, S3 bucket and CloudFront distribution and adds the needed settings for the reference server. Additionally, the template creates IAM policies and roles necessary for API Gateway, Lambda, Secrets Manager, S3 and CloudFront to interact.
The following diagram shows the primary components of the serverless SPEKE solution and the connectivity among the components during runtime. The diagram also shows one possible integration between AWS MediaPackage or AWS MediaConvert and SPEKE.
These sections will guide you through installation, testing and configuration of the SPEKE Reference Server.
-
Installation - This section includes installation instructions for API Gateway, Lambda deployment and AWS Elemental MediaPackage channel integration.
-
Test Cases - This page include several unit tests and manual test cases that can be used to verify operation of the SPEKE Reference Server. These test cases do not require integration with additional services.
-
AWS Elemental MediaPackage - This page documents steps that can be used to verify operation of the SPEKE Reference Server using AWS Elemental MediaPackage.
-
Contributing - This page includes the guidelines for contributing your enhancements, fixes and documentation to the project.
-
Code of Conduct - This is what we expect from all people interacting and contributing with the team.
The following page guides the user through deployment and configuration of the SPEKE Reference Server.
- An AWS account with administrator rights and access to the AWS console
- Note that this solution can be deployed to any region that supports API Gateway, Lambda, and S3. You need to consider the packager or encoder's location relative to the API Gateway endpoint used to create encryption keys. The encoder, packager and SPEKE services should be in the same region or as geographically close as possible to reduce the request/response latency in key generation.
- Create a virtual environment for this project using python3 using steps outlined here.
- Install dependencies within the virtual environment using
pip3 install -r requirements.txt
. - In
zappa_settings.json
undersrc
, replaceaws_region
with the region this lambda will be deployed. - Run
local_build.sh
. - The script will generate required artifacts under
build
folder. - Create a new bucket in S3 (For example:
speke-us-east-1
). Create a folder calledspeke
and upload the generatedspeke-reference
lambda zip file. - In the generated
speke_reference.json
, replacerodeolabz
with the name of your created bucket (speke
is used in this example). - Use the
speke_reference.json
template in CloudFormation to deploy the speke reference server following the instructions below.
AWS Lambda environment is similar to Amazon Linux (AL2) and so a dependency that this reference server needs: cffi
does not match the lambda runtime when built on a Windows/ macOS machine. When the reference server is run, it might result in an error: No module named '_cffi_backend'
. To resolve this, create a requirements.txt
file with cffi==<version>
, replacing version with the desired version number (The requirements.txt file can be used for a compatible version) and create a lambda layer following the steps outlined here and then update the speke reference lambda function to reference this layer.
- Sign in to the AWS console.
- Choose a region such as us-east-1 or us-west-2 to start.
- Navigate to the AWS CloudFormation console.
- Create a new stack.
- On the
Select Template
page, selectUpload a template file
and choose the generatedspeke_reference.json
file prepared in the above section. - At the
Specify Details
pages, provide a stack name, likeSPEKE
. - Provide a value for the
KeyRetentionDays
parameter. This is the amount of time to retain a key in the S3 bucket for client playback. Keys older than this amount will be automatically removed by S3. The default is 2 days, which is usually enough for live content across multiple time zones. - There are some Parameters which contain default values, this is for reference only and it is recommended that users modify this section of the reference server to return values such as playready header and pssh boxes according to their requirements.
- The
Options
page does not require any input, although you can choose to be notified after the template completes.
When the template is complete you will have an operational reference SPEKE server that can be used for HLS encryption. You can review the Resources tab of the template to see what was created or updated, and the Outputs tab for the URL of the SPEKE server and the role ARN that permits MediaPackage access.
This solution only supports key creation for the following DRM technologies: Widevine, Playready
This solution will send a blank CPIX response if the Apple Fairplay system ID is used.
For Speke V2.0, this solution works for Widevine, Playready and Fairplay Due to limitations on size of environment variables provided for a lambda, users must implement their own solution to create and send PSSH, ContentProtectionData and HLSSignalingData for the different DRM systems.
This solution only supports the contentProtection method to handle communication between the reference server solution and the Media Services. Users must implement copyProtectionData methods in order to handle client/player request to decrypt content.