AWS Media Blog

Guest post from castLabs: AWS customers can use SPEKE and DRMtoday for video security

Guest post Bryce Pedersen, VP of Marketing, castLabs

The content and opinions in this post are those of the third-party author and AWS is not responsible for the content or accuracy of this post.

The Secure Packager and Encoder Key Exchange (SPEKE) specification defines the standard for authentication and communication between encryptors and digital rights management (DRM) key providers. Encryptors include video encoders, transcoders, and origin servers. SPEKE itself is an API based on the DASH-IF Content Protection Information Exchange Format (CPIX), which is an XML document format designed to standardize how content key exchanges are performed.

castLabs’ DRMtoday cloud licensing service was among the first DRM key providers to offer API integration with SPEKE for streaming video workflows.

DRMtoday is SPEKE-compliant and allows AWS Elemental Media Services users to easily:

  • Deploy required resources to interact with DRMtoday and SPEKE through a simple AWS CloudFormation template
  • Support protected MPEG-DASH, HLS, Smooth Streaming through CMAF packaging workflows
  • Process secure content key exchanges for Google Widevine, Apple FairPlay Streaming, and Microsoft PlayReady DRM systems
  • Take advantage of Common Encryption (CENC) use cases

End-to-end Key Security

Content keys are extremely sensitive data. SPEKE and DRMtoday establish a secure end-to-end key transit channel to deliver encrypted media content.

DRMtoday and SPEKE Workflow Integration

DRMtoday is compatible with AWS Elemental MediaConvert and AWS Elemental MediaPackage for cloud-based video workflows, and AWS Elemental Live and AWS Elemental Delta for on-premises video workflows. AWS security requires key service components to be located in a customer’s account. To facilitate this, castLabs provides an ‘adapter’ as an AWS CloudFormation template that acts as the bridge between AWS and DRMtoday workflows. This allows for rapid deployment of DRMtoday for AWS Elemental Media Services.

This combined solution consists of two main components: fully configured Amazon API Gateway and AWS Lambda functions. The Amazon API Gateway allows for IAM role authentication within the AWS ecosystem (i.e. it facilitates IAM authentication between AWS Media Services and the key server proxy). This calls the AWS Lambda function, which in turn calls DRMtoday.

File-based SPEKE VOD workflow example 

Get Started Today

castLabs is an AWS Advanced Technology Partner. To learn more about API integration between DRMtoday and AWS Elemental Media Services, contact

About castLabs

castLabs pioneers software and cloud services for digital video markets worldwide. Its solutions enable the playback of DRM-secured premium content over a large selection of consumer devices and platforms for high-quality video experiences. castLabs’ range of applications and services include DRMtoday licensing, PRESTOplay player SDKs, and Video Toolkit processing. castLabs is based in Los Angeles, California, and Berlin, Germany.

Brandon Zupancic

Brandon Zupancic

Brandon leads global partner marketing for technology and consulting vendors which have built media solutions on AWS, and which businesses may use to deliver video to their customers and internal clients.