DRM Content Protection
Digital Rights Management (DRM) encrypts your media content so that only authorized players and devices can decrypt and play it back. MK.IO handles DRM key management and license delivery, so you can protect live and VOD streams without running your own license server.
How DRM works in MK.IO
DRM protection in MK.IO relies on three components working together:
- Content key policy: defines which encryption schemes to use (ClearKey, Widevine, PlayReady, FairPlay) and whether a JWT token is required for license acquisition.
- Streaming policy: determines the encryption format applied to your packaged streams (CENC or CBCS).
- Streaming locator: ties an asset to a streaming policy and content key policy, producing encrypted playback URLs and license acquisition URLs.
When a player requests a protected stream, it contacts the MK.IO license server with the appropriate credentials. MK.IO validates the request, issues the decryption key or license, and the player decrypts the stream for playback.
Encryption types
MK.IO supports four encryption modes. Choose the one that matches your security requirements and target platforms.
| Encryption type | Protocols | Encryption format | Use case |
|---|---|---|---|
| ClearKey | HLS, DASH | HLS: CBCS, DASH: CENC | Lowest latency encryption. Suitable for basic protection and testing. |
| Widevine | HLS, DASH | CENC | Chrome, Android, smart TVs, and other Widevine-licensed devices. |
| PlayReady | HLS, DASH | CENC | Edge, Xbox, Windows devices, and PlayReady-licensed smart TVs. |
| FairPlay | HLS only | CBCS | Safari and Apple devices. Requires an Apple FairPlay certificate. |
Do not add ClearKey to a policy that also uses DRM schemes (Widevine, PlayReady, or FairPlay). Combining ClearKey with DRM reduces the security effectiveness of the policy.
Streaming policy and encryption pairing
When you create a streaming locator, the streaming policy you select must match the content key policy. MK.IO provides predefined streaming policies for common configurations:
| Streaming policy | Required DRM schemes | Notes |
|---|---|---|
Predefined_ClearStreamingOnly | None | No encryption. Use for testing unprotected playback. |
Predefined_ClearKey | ClearKey | Basic encryption without a full DRM license server. |
Predefined_MultiDrmStreaming | Widevine, PlayReady, and FairPlay | Full multi-DRM. The content key policy must include all three schemes. |
Predefined_MultiDrmCencStreaming | Widevine and PlayReady | CENC-only multi-DRM. No FairPlay required. |
DRM support by platform
Each browser and platform supports specific DRM systems. The player automatically selects the correct DRM based on the environment.
| Platform | Recommended DRM | Protocol |
|---|---|---|
| Chrome, Firefox, Android | Widevine | DASH |
| Safari, iOS, macOS | FairPlay | HLS |
| Edge (Windows) | PlayReady | DASH |
| Smart TVs (varies) | Widevine or PlayReady | DASH |
For a detailed compatibility matrix, refer to the Bitmovin DRM support reference (opens in a new tab).
High-level workflow
Follow these steps to protect and play back an encrypted asset:
- Verify your asset plays unencrypted. Create a streaming locator with
Predefined_ClearStreamingOnlyand confirm playback works before adding encryption. - Create a content key policy with your chosen DRM schemes and token settings.
- Create a streaming locator that references both your streaming policy and content key policy.
- Test playback using MKPlayer or your player SDK with the encrypted URLs and license acquisition URLs.