内容密钥策略Content Key Policies

备注

Google Widevine 内容保护服务目前在 Azure 中国区域不可用。Google Widevine content protection services are currently unavailable in the Azure China regions.

借助媒体服务,可以传送使用高级加密标准 (AES-128) 或以下两个主要数字版权管理 (DRM) 系统中任意一个动态加密的直播和点播内容:Microsoft PlayReady 和 Apple FairPlay。With Media Services, you can deliver your live and on-demand content encrypted dynamically with Advanced Encryption Standard (AES-128) or any of the two major digital rights management (DRM) systems: Microsoft PlayReady, and Apple FairPlay. 媒体服务还提供了用于向已授权客户端传送 AES 密钥和 DRM(PlayReady 和 FairPlay)许可证的服务。Media Services also provides a service for delivering AES keys and DRM (PlayReady and FairPlay) licenses to authorized clients.

若要针对流指定加密选项,需要创建流策略并将其与流定位符相关联。To specify encryption options on your stream, you need to create a Streaming Policy and associate it with your Streaming Locator. 创建内容密钥策略,用于配置如何将内容密钥(提供对资产的安全访问)传送到终端客户端。You create the Content Key Policy to configure how the content key (that provides secure access to your Assets) is delivered to end clients. 需要针对内容密钥策略设置要求(限制),只有满足这些要求,才能将使用指定配置的密钥传送到客户端。You need to set the requirements (restrictions) on the Content Key Policy that must be met in order for keys with the specified configuration to be delivered to clients. 明文格式的流式传输或下载不需要内容密钥策略。The content key policy is not needed for clear streaming or downloading.

通常,你会将内容密钥策略关联到流定位符Usually, you associate your content key policy with your Streaming Locator. 或者,可以在流策略中指定内容密钥策略(为高级方案创建自定义的流策略时)。Alternatively, you can specify the content key policy inside a Streaming Policy (when creating a custom streaming policy for advanced scenarios).

最佳做法和注意事项Best practices and considerations

重要

请查看以下建议。Please review the following recommendations.

  • 应为媒体服务帐户设计一组有限的策略,并在需要相同的选项时重新将这些策略用于流定位符。You should design a limited set of policies for your Media Service account and reuse them for your streaming locators whenever the same options are needed. 有关详细信息,请参阅配额和限制For more information, see Quotas and limits.

  • 内容密钥策略可更新。Content key policies are updatable. 密钥传送缓存可能需要长达 15 分钟来更新策略和拾取更新后的策略。It can take up to 15 minutes for the key delivery caches to update and pick up the updated policy.

  • 建议不要为每个资产创建新的内容密钥策略。We recommend that you do not create a new content key policy for each asset. 在需要使用相同策略选项的资产之间共享同一内容密钥策略的主要好处包括:The main benefits of sharing the same content key policy between assets that need the same policy options are:

    • 可以更轻松地管理少量的策略。It is easier to manage a small number of policies.
    • 如果需要更新内容密钥策略,所做的更改几乎可以立即对所有新的许可证请求生效。If you need to make updates to the content key policy, the changes go into effect on all new license requests almost right away.
  • 如果确实需要创建新策略,则必须为资产创建新的流定位符。If you do need to create a new policy, you have to create a new streaming locator for the asset.

  • 建议让媒体服务自动生成内容密钥。It is recommended to let Media Services autogenerate the content key.

    通常,你会使用生存期较长的密钥,并使用 Get 检查内容密钥策略是否存在。Typically, you would use a long-lived key and check for the existence of the content key policy with Get. 若要获取密钥,需调用单独的操作方法来获取机密或凭据,请参阅下面的示例。To get the key, you need to call a separate action method to get secrets or credentials, see the example that follows.

示例Example

若要获取密钥,请使用 GetPolicyPropertiesWithSecretsAsync,如从现有策略获取签名密钥示例中所示。To get to the key, use GetPolicyPropertiesWithSecretsAsync, as shown in the Get a signing key from the existing policy example.

筛选、排序、分页Filtering, ordering, paging

请参阅媒体服务实体的筛选、排序、分页See Filtering, ordering, paging of Media Services entities.

附加说明Additional notes

  • 内容密钥策略的 Datetime 类型的属性始终采用 UTC 格式。Properties of the Content Key Policies that are of the Datetime type are always in UTC format.

后续步骤Next steps