AWS Media Blog

Secure content packaging with ExpressPlay DRM and AWS Media Services

Authored by Gadi Ittah, Director of Product Management at Intertrust. The content and opinions in this post are those of the third-party author and AWS is not responsible for the content or accuracy of this post.

At Intertrust, we are responsible for protecting high-value and premium content, distributed by some of the largest media streaming services in the world. Our ExpressPlay DRM customers reach hundreds of millions of viewers and offer rich VOD catalogs as well as live events. Our customers make use of the cloud-based ExpressPlay multi-DRM service that supports common DRMs from Apple, Google, and Microsoft in addition to the open-standard Marlin DRM.

A good content protection solution is not only secure, but it is also completely seamless to the viewer. It blocks content pirates and does not impede the viewing quality of experience (QoE) for authorized viewers. Any problem in the services Intertrust operates could result in a significant disruption to customers’ businesses, as viewers would lose access to their content.

In this post, I dive into our partnership AWS that allows us to meet specific requirements from rights holders and service providers in a cost-effective and robust manner. AWS Elastic Cloud Compute allows us to scale our service on demand to meet the most exacting events, while Elastic Load Balancing enables scalability across availability zones ensuring a robust delivery. Amazon Route 53 ensures the lowest possible latency by routing requests to the data center closest to the viewer, while providing active failover between datacenters in different AWS regions in the rare event that an entire region is not accessible.

Protected Content Packaging

Because content is typically distributed over a CDN and is available for anyone to access and download, content encryption and Digital Rights Management (DRM) are the backbone of OTT content protection.

Content encryption ensures that only authorized viewers will be able to view the content. DRM adds an additional layer of protection by ensuring that only trusted clients that implement robust security measures are able to decrypt the content in accordance with the OTT provider’s business logic.

Another integral part of content packaging is the insertion of DRM signaling in the media, such as the common encryption Protection System Specific Header (PSSH). DRM signaling is used during playback by the media player to retrieve the content license, which includes the decryption key and business rules required to decrypt the content.

Figure 1 – Content protection section of a DASH manifest with DRM signaling highlighted in bold

Because the content packaging and playback workflows need to coordinate the DRM signaling and encryption keys, it is critical that the content packaging workflow and the DRM system are tightly integrated.

AWS Media Services Integration

As many of our customers have become comfortable with hosting mission-critical services in the cloud, we have seen increased interest in migration of packaging and content preparation workflows to the AWS Cloud.

AWS developed the Secure Packager and Encoder Key Exchange (SPEKE) protocol, which has been broadly adopted by the content protection industry. It provides a simple and secure interface for delivery of content encryption keys and DRM signaling from a DRM system to an encryptor (typically a tool/service responsible for media packaging).

SPEKE has been integrated with AWS Media Services, enabling the encryption and insertion of DRM signaling data into live and VOD content processed by AWS Elemental MediaPackage and AWS Elemental MediaConvert in the cloud, or AWS Elemental Live and AWS Elemental Delta for on-premises deployments.

Intertrust workflow diagram of AWS cloud-based packaging using SPEKE protocol

Figure 2 – AWS cloud-based packaging using SPEKE protocol

Intertrust leverages SPEKE to offer customers a straightforward and streamlined integration with AWS Media Services:

  1. Setup – Customers use an AWS CloudFormation script provided by ExpressPlay DRM services to set up an Amazon API Gateway endpoint as well as AWS Identity and Access Management (IAM) roles for MediaPackage and MediaConvert to access the API Gateway endpoint. The API Gateway endpoint itself uses SPEKE to communicate with the ExpressPlay Key Management Service (KMS).
  2. Packaging – AWS Media Services call the ExpressPlay KMS through the API Gateway endpoint to retrieve the encryption keys matching the key identifiers specified in the job, as well as the DRM signaling from the ExpressPlay KMS, and uses that information to package the media. In the MediaPackage and MediaConvert jobs, the customer specifies the following:
    • The system identifiers for the DRM systems that they would like to package content for key identifiers of the encryption keys that should be used to encrypt the media (keys are securely managed by the ExpressPlay KMS)
    • The API Gateway endpoint that was set up by the CloudFormation script
    • The Amazon Resource Name (ARN) for the AWS service accessing the API Gateway endpoint
  3. DRM License Issuing – The same key identifiers specified in the packaging jobs are later used by the OTT service to generate DRM licenses from the ExpressPlay multi-DRM cloud service.


We have successfully deployed SPEKE with several ExpressPlay multi-DRM customers and several more deployments are on track to launch this year. These deployments deliver both on-demand and live streaming assets packaged by AWS Media Services, and are protected by Apple FairPlay Streaming, Google Widevine, and Microsoft PlayReady DRMs using licenses issued by the ExpressPlay multi-DRM cloud service.

As SPEKE continues to evolve, we’ll take advantage of new capabilities and deepen our integration with AWS Media Services to further benefit our customers.

For more details, download a joint solution brief from Intertrust and AWS: Secure OTT streaming with Cloud-Based Multi-DRM Service.