NextGen Live DRM

In this topic, you will learn how to enable content protection for your live stream.

DRM now works with redundant channels and also protects Low Latency HLS (LLHLS) outputs.

Live DRM is an add-on feature, not active by default.
If you would like access to this feature, please contact your Customer Success Manager.

Granular stream-level limitations (CRT) — NextGen Live now supports rendition-level DRM configurations by resolution group (SD, HD, UHD). This enables HDCP fallback so you can apply stronger protection to higher resolutions (e.g., HD/UHD) and more permissive rules for SD.

Enabling DRM for Live content

Note:

By default, DRM is applied to outputs as follows:

  • Your Live account must be enabled first by Brightcove Support in order to use DRM.
  • To publish a DRM-enabled channel, use any of the following:
    • A DRM-enabled Brightcove Player v6.37.1 or later
    • The Brightcove Native SDK for iOS v6.5.0 or later

    • The Brightcove Native SDK for Android v6.11.0 or later

  • If you want to override the DRM default settings you can do it via API or please contact Brightcove support to change them in the Live Platform.
    • FairPlay: applied to HLS outputs
    • PlayReady: applied to DASH outputs
    • Widevine: applied to HLS outputs

Notes

  1. While creating a new channel, configure the DRM option during channel creation and select the desired DRM encryptions for your channel.
  2. After creating the channel, open the Control Room to verify your encryption modes.

Playback technologies used

The Brightcove Player utilizes different DRM playback technologies with different browsers.

  • FairPlay: Apple's DRM system
  • PlayReady: Microsoft's DRM system
  • Widevine: Google's DRM system

The following table details the relationship between the browser (latest version), format, and playback technology used in Brightcove Player:

Browser Format Playback Technology Rendition Type Used to Deliver DRM Content
Chrome Desktop HLS with Widevine EME HLS
Chrome Mobile

HLS with Widevine (iOS)

HLS with Widevine (Android)

Native

EME

 HLS
Internet Explorer No versions of IE are supported by Brightcove
Edge1 HLS with Widevine EME HLS
Safari HLS with FairPlay Native HLS HLS
Firefox HLS with Widevine EME HLS

For further assistance, please contact Brightcove Support or your Customer Success Manager.

DRM license requests during playback

The number of DRM license requests generated during a single playback session is different for NextGen Live content than it is for VOD. This is expected behavior and is a result of how DRM keys are assigned to your content.

VOD playback

VOD supports both a single DRM key and multiple DRM keys:

  • Single key (default): By default, Brightcove uses one DRM key across all renditions. Because the player and the device's Content Decryption Module (CDM) encounter only one key during playback, a VOD playback session typically requires one DRM license request.
  • Multiple keys (more secure option): VOD can also be configured to use separate DRM keys per rendition or stream type for stronger protection. When multiple keys are used, the player and CDM may issue more than one license request per session.

NextGen Live playback

NextGen Live supports multiple DRM keys only. Brightcove always uses separate DRM keys per rendition or stream type (for example, AUDIO, SD, HD, and UHD); a single-key configuration is not available for Live. This is expected behavior, even when per-stream-type DRM/HDCP fallback (CRT) is not enabled on your account. Because the player and CDM encounter multiple key IDs during playback startup, they may issue a separate license request for each key. As a result, a single Live playback session can generate multiple DRM license requests.

There is no fixed number of license requests per Live playback session. The exact number can vary depending on the Live output configuration, the number of renditions and stream types, packaging, the playback environment, and the behavior of the player and CDM.

Why NextGen Live uses separate keys

Live content — especially time-sensitive content such as sports or premium live events — has immediate value and requires a stronger security posture. Using separate keys per rendition or stream type provides better encapsulation and isolation of DRM keys: if one rendition key were compromised, the other rendition keys remain separately protected. Because Live always uses multiple keys, this higher level of protection produces more license requests than the default VOD configuration, where a single key is used across renditions.

Example

A single viewer starts a NextGen Live event that is published with separate keys for its audio and video renditions. As the player begins playback, the CDM encounters more than one key ID and issues a license request for each one, so one viewer session can produce several DRM license requests. Because of this, the Encryption Licenses count reported in billing can exceed the number of Live stream views or playback sessions. A ratio where Encryption License usage is higher than Live stream starts or Live views is therefore expected, and does not, on its own, indicate duplicate playback sessions or a billing or reporting defect.

DRM Encryption using the NextGen Live API

To enable DRM for a Brightcove Live channel, add an encryption object to the job definition you send to the Live API.
You may list individual modes (e.g. ["widevine","fairplay","playready"]) or simply use ["all"] to enable every supported scheme.

  • To create a live job with DRM encryption enabled, send a POST request to: 

    
https://api.live.brightcove.com/v2/accounts/{account_id}/jobs

    Example request body (adjust as needed):

    {
  "type": "event",
  "name": "DRM",
  "region": "us-east-1",
  "input": {
    "protocol": "srt",
    "fixed_ingest_ip": false
  },
  "outputs": {
    "video": [
      {
        "label": "hls270p",
        "height": 270,
        "width": 480,
        "bitrate": 450000,
        "codec": "h264",
        "codec_options": { "level": "3", "profile": "main" },
        "framerate": "30/1",
        "num_b_frames": 3,
        "num_reference_frames": 4,
        "keyframe_rate": 0.5,
        "sample_aspect_ratio": "1:1",
        "decoder_buffer_size": 675000,
        "max_bitrate": 540000
      },
      {
        "label": "hls360p",
        "height": 360,
        "width": 640,
        "bitrate": 780000,
        "codec": "h264",
        "codec_options": { "level": "3", "profile": "main" },
        "framerate": "30/1",
        "num_b_frames": 3,
        "num_reference_frames": 4,
        "keyframe_rate": 0.5,
        "sample_aspect_ratio": "1:1",
        "decoder_buffer_size": 1170000,
        "max_bitrate": 936000
      },
      {
        "label": "hls540p",
        "height": 540,
        "width": 960,
        "bitrate": 1500000,
        "codec": "h264",
        "codec_options": { "level": "3.2", "profile": "main" },
        "framerate": "30/1",
        "num_b_frames": 3,
        "num_reference_frames": 4,
        "keyframe_rate": 0.5,
        "sample_aspect_ratio": "1:1",
        "decoder_buffer_size": 2250000,
        "max_bitrate": 1800000
      },
      {
        "label": "hls720p",
        "height": 720,
        "width": 1280,
        "bitrate": 2400000,
        "codec": "h264",
        "codec_options": { "level": "4", "profile": "high" },
        "framerate": "30/1",
        "num_b_frames": 3,
        "num_reference_frames": 4,
        "keyframe_rate": 0.5,
        "sample_aspect_ratio": "1:1",
        "decoder_buffer_size": 3600000,
        "max_bitrate": 2880000
      },
      {
        "label": "hls1080p",
        "height": 1080,
        "width": 1920,
        "bitrate": 4500000,
        "codec": "h264",
        "codec_options": { "level": "4.2", "profile": "high" },
        "framerate": "30/1",
        "num_b_frames": 3,
        "num_reference_frames": 4,
        "keyframe_rate": 0.5,
        "sample_aspect_ratio": "1:1",
        "decoder_buffer_size": 6750000,
        "max_bitrate": 5400000
      }
    ],
    "audio": [
      {
        "label": "aac1",
        "input_selector_name": "default",
        "language_code": "eng",
        "codec": "aac",
        "bitrate": 128000,
        "sample_rate": 48000
      }
    ],
    "rtmp": [
      {
        "label": "primary_rtmp",
        "url": "rtmp://primary.example.com/live/stream_key_1",
        "video_label": "hls1080p",
        "audio_label": "aac1"
      },
      {
        "label": "backup_rtmp",
        "url": "rtmps://backup.example.com/live/stream_key_2",
        "video_label": "hls720p",
        "audio_label": "aac1"
      }
    ]
  },
  "manifest": {
    "name": "playlist",
    "segment_duration_seconds": 6,
    "playlist_window_seconds": 30,
    "hls": {}
  },
  "maintenance_preferences": {
    "day": "WEDNESDAY",
    "start_time": "02:00"
  },
  "playback_rights_id": "primary",
  "encryption": {
    "modes": ["widevine", "fairplay", "playready"]
  }
}

Granular stream-level DRM (CRT)

With Content Restriction Templates (CRT), you can enforce different DRM/HDCP requirements per rendition tier:

Default DRM CRT settings:

Rendition Group DRM/HDCP Setting
SD / Audio-only HDCP_NONE
HD HDCP_NONE
UHD HDCP_NONE

Example settings you can request with Brightcove Support

  • HDCP_V1: Provides content protection suitable for HD streams, such as 720p and 1080p
  • HDCP_V2: Applies stronger protection standards, commonly required for UHD and premium video content

Reach out to Brightcove Support for an exhaustive overview of the available features provided by Brightcove NextGen Live.