In our daily lives, we rotate quite a few things: Our clothing (probably on a daily basis), our bedsheets (there is an ongoing discussion between my wife and me about the frequency that this needs to be done) and the diapers of our babies (I am pretty new to this club).
Video streaming providers are happily adding one more thing to their list: rotating DRM keys. Why do they do that? Well because of evil guys and large revenue losses. International research estimates that digital video piracy inflicts up to $71 billion in annual losses on the global entertainment industry.
The idea behind DRM key rotation
So what is Digital Rights Management (DRM) and what is DRM key rotation?
DRM, or Digital Rights Management, is a technology used to set and enforce usage rights of copyrighted digital content like music and videos. It prevents unauthorized access, copying, and distribution by using measures such as encryption.
DRM key rotation is the process of periodically changing the encryption keys used to secure digital content. Typically, in DRM key rotation, DRM rules remain unchanged while only the key ID and the key are rotated at the encryption level. DRM key rotation serves two fundamental purposes:
- First, it provides short-lived access by refreshing the encryption layer so compromised keys quickly expire.
- Second, it enables fast re-evaluation of business rules (entitlement, access denial, fraud response) so that rapid detection of anomalies results in rapid action.
Together, these protect both the cryptographic boundary and the commercial rules of the media stream.
Downsides of traditional key rotation
Traditional DRM key rotation hinges on the issuance of new licenses, which are more than just raw keys — they are encrypted entitlements. Each license carries rights objects, robustness rules, output protections, and usage policies within a DRM-specific cryptographic framework. This results in:
- Heavy processing overhead from certificate validation, entitlement parsing, and OS-level DRM negotiation on every rotation.
- Latency and scalability bottlenecks as frequent license transactions become costly at scale.
- Operational rigidity since cadence and targeting are tied to license churn, causing fragility in live workflows.
- Variability across DRMs because CDMs behave differently (some support multi-key licenses, others do not), forcing providers to scale to the least capable system.
- Predictability since conventional rotations occur on fixed heartbeats (e.g., every five minutes), which pirates can easily script around
Keeping it really EZ
Together with EZDRM we implemented a new enveloping approach to offload key rotation to edge workers, enabling the assignment of individual encryption keys to specific geographic locations or individual users. By decoupling DRM robustness rules like output protection from the encryption process, the approach achieves high scalability while supporting sub-minute, asynchronous, and jittered rotation.
From a high level perspective, the system works as follows:
The edge packagers receive the media files from a CDN, add envelope encryption to selected media segments, and upload them back to the CDN. In addition, the DASH/HLS manifest files are enhanced with DASH/HLS events to signal required encryption information to the client. The envelope encryption is individual to each user, enabling fine-grain management of the playback session. On the client-side, the media player requests the enhanced manifest files and media segments directly from the CDN and use the information from the DASH/HLS manifest and the EZDRM key server to decrypt the media segments and remove the envelope encryption.
The reference implementation uses AWS edge processing, the EZDRM API for key retrieval, dash.js and shaka-player with the Web Crypto API.
Our first results showed that the enveloping approach scales efficiently under live and VoD conditions and does not introduce a significant client-side overhead. It enables personalized, unpredictable key rotation that raises the barrier for piracy while remaining operationally viable.
We will present more detailed results at the upcoming Mile High Video 26 in Denver.
If you want to learn more about the solution, checkout the description on “Precision Envelope Management” on the EZDRM website.
And since you are already checking your calendar, don’t forget to save the dates for the 13th FOKUS Media Web Symposium, happening in Berlin on June 16-17.