使用 Azure 门户配置内容保护策略Configure content protection policies by using the Azure portal

媒体服务徽标media services logo


Google Widevine 内容保护服务目前在 Azure 中国区域不可用。Google Widevine content protection services are currently unavailable in the Azure China regions.


要完成本教程,需要一个 Azure 帐户。To complete this tutorial, you need an Azure account. 有关详细信息,请参阅 Azure 试用For details, see Azure trial. 不会向媒体服务 v2 添加任何新特性或新功能。No new features or functionality are being added to Media Services v2.
查看最新版本:媒体服务 v3Check out the latest version, Media Services v3. 另请参阅从 v2 到 v3 的迁移指南Also, see migration guidance from v2 to v3

使用 Azure 媒体服务,可以在媒体从离开计算机到存储、处理和传送的整个过程中确保其安全。With Azure Media Services, you can secure your media from the time it leaves your computer through storage, processing, and delivery. 可以通过媒体服务传送按高级加密标准 (AES)(使用 128 位加密密钥)动态加密的内容。You can use Media Services to deliver your content encrypted dynamically with the Advanced Encryption Standard (AES) by using 128-bit encryption keys. 也可借助 PlayReady 和/或 Apple FairPlay,将其与通用加密 (CENC) 配合使用。You also can use it with common encryption (CENC) by using PlayReady and/or Apple FairPlay.

媒体服务提供用于向已授权客户端传送 DRM 许可证和 AES 明文密钥的服务。Media Services provides a service for delivering DRM licenses and AES clear keys to authorized clients. 可以使用 Azure 门户创建一个适用于所有类型的加密的密钥/许可证授权策略。You can use the Azure portal to create one key/license authorization policy for all types of encryptions.

本文演示如何使用门户配置内容保护策略。This article demonstrates how to configure a content protection policy by using the portal. 本文还演示如何为资产应用动态加密。The article also shows how to apply dynamic encryption to your assets.

开始配置内容保护Start to configure content protection

若要通过门户使用媒体服务帐户来配置全局内容保护,请执行以下步骤:To use the portal to configure global content protection by using your Media Services account, take the following steps:

  1. 门户中选择媒体服务帐户。In the portal, select your Media Services account.

  2. 选择“设置” > “内容保护” 。Select Settings > Content protection.


密钥/许可证授权策略Key/license authorization policy

媒体服务支持通过多种方式对发出密钥或许可证请求的用户进行身份验证。Media Services supports multiple ways of authenticating users who make key or license requests. 必须配置内容密钥授权策略。You must configure the content key authorization policy. 然后,客户端必须符合策略,系统才会向其传送密钥/许可证。Your client then must meet the policy before the key/license can be delivered to it. 内容密钥授权策略可能有一种或多种授权限制:开放或令牌限制。The content key authorization policy can have one or more authorization restrictions, either open or token restrictions.

可以使用门户创建一个适用于所有类型的加密的密钥/许可证授权策略。You can use the portal to create one key/license authorization policy for all types of encryptions.

开放授权Open authorization

“开放”限制意味着系统会将密钥传送到发出密钥请求的任何用户。Open restriction means that the system delivers the key to anyone who makes a key request. 此限制可能适用于测试用途。This restriction might be useful for test purposes.

令牌授权Token authorization

令牌限制策略必须附带由安全令牌服务 (STS) 颁发的令牌。The token-restricted policy must be accompanied by a token issued by a security token service (STS). 媒体服务支持采用简单 Web 令牌 (SWT) 格式和 JSON Web 令牌 (JWT) 格式的令牌。Media Services supports tokens in the simple web token (SWT) and JSON Web Token (JWT) formats. 媒体服务不提供 STS。Media Services doesn't provide an STS. 可以创建自定义 STS 或使用 Azure 访问控制服务来颁发令牌。You can create a custom STS or use Azure Access Control Service to issue tokens. 必须将 STS 配置为创建令牌,该令牌使用指定密钥以及在令牌限制配置中指定的颁发声明进行签名。The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration. 如果令牌有效,而且令牌中的声明与为密钥(或许可证)配置的声明相匹配,则媒体服务密钥传送服务会将请求的密钥(或许可证)返回到客户端。If the token is valid and the claims in the token match those configured for the key (or license), the Media Services key delivery service returns the requested key (or license) to the client.

配置令牌限制策略时,必须指定主验证密钥、颁发者和受众参数。When you configure the token-restricted policy, you must specify the primary verification key, issuer, and audience parameters. 主验证密钥包含为令牌签名时使用的密钥。The primary verification key contains the key that the token was signed with. 颁发者是颁发令牌的安全令牌服务。The issuer is the secure token service that issues the token. 受众(有时称为范围)描述该令牌的意图,或者令牌授权访问的资源。The audience (sometimes called scope) describes the intent of the token or the resource the token authorizes access to. 媒体服务密钥交付服务会验证令牌中的这些值是否与模板中的值匹配。The Media Services key delivery service validates that these values in the token match the values in the template.


PlayReady 许可证模板PlayReady license template

PlayReady 许可证模板设置在 PlayReady 许可证上启用的功能。The PlayReady license template sets the functionality that is enabled on your PlayReady license. 有关 PlayReady 许可证模板的详细信息,请参阅媒体服务 PlayReady 许可证模板概述For more information about the PlayReady license template, see the Media Services PlayReady license template overview.


如果将许可证配置为非永久性许可证,则当播放器使用它时,它仅存储在内存中。If you configure a license as nonpersistent, it's held in memory only while the player uses the license.



如果将许可证配置为永久性许可证,它会保存在客户端的永久性存储中。If you configure a license as persistent, it's saved in persistent storage on the client.


FairPlay 配置FairPlay configuration

若要启用 FairPlay 加密,请选择“FairPlay 配置” 。To enable FairPlay encryption, select FairPlay configuration. 然后选择“应用证书”并输入 应用程序机密密钥Then select the App certificate and enter the Application Secret Key. 有关 FairPlay 配置和要求的详细信息,请参阅使用 Apple FairPlay 或 Microsoft PlayReady 保护 HLS 内容For more information about FairPlay configuration and requirements, see Protect your HLS content with Apple FairPlay or Microsoft PlayReady.

FairPlay 配置

将动态加密应用于资产Apply dynamic encryption to your asset

若要利用动态加密,请将源文件编码为一组自适应比特率 MP4 文件。To take advantage of dynamic encryption, encode your source file into a set of adaptive-bitrate MP4 files.

选择要加密的资产Select an asset that you want to encrypt

若要查看所有资产,选择“设置” > “资产” 。To see all your assets, select Settings > Assets.


使用 AES 或 DRM 加密Encrypt with AES or DRM

针对资产选择“加密”时,会看到两个选择:AESDRMWhen you select Encrypt for an asset, you see two choices: AES or DRM.


对所有流式处理协议启用 AES 明文密钥加密:平滑流式处理、HLS 和 MPEG DASH。AES clear key encryption is enabled on all streaming protocols: Smooth Streaming, HLS, and MPEG-DASH.



  1. 选择“DRM”后,会看到不同的内容保护策略(必须通过此点进行配置)和一组流式处理协议: After you select DRM, you see different content protection policies (which must be configured by this point) and a set of streaming protocols:
  • 仅将 PlayReady 应用于平滑流式处理、HLS 和 MPEG-DASH 即可通过 PlayReady DRM 动态加密平滑流式处理、HLS 和 MPEG-DASH 流。PlayReady only with Smooth Streaming, HLS, and MPEG-DASH dynamically encrypts Smooth Streaming, HLS, and MPEG-DASH streams with PlayReady DRM.
  • 仅将 FairPlay 应用于 HLS 即可通过 FairPlay 动态加密 HLS 流。FairPlay only with HLS dynamically encrypts your HLS stream with FairPlay.
  1. 若要启用 FairPlay 加密,请在“内容保护全局设置”边栏选项卡上选择“FairPlay 配置”。 To enable FairPlay encryption, on the Content Protection Global Settings blade, select FairPlay configuration. 然后选择“应用证书”并输入 应用程序机密密钥Then select the App certificate, and enter the Application Secret Key.


  2. 进行加密选择后,选择“应用” 。After you make the encryption selection, select Apply.


如果打算在 Safari 中播放 AES 加密的 HLS,请参阅博客文章:Safari 中加密的 HLSIf you plan to play an AES-encrypted HLS in Safari, see the blog post Encrypted HLS in Safari.

后续步骤Next steps

媒体服务 v3(最新版本)Media Services v3 (latest)

查看最新版本的 Azure 媒体服务!Check out the latest version of Azure Media Services!

媒体服务 v2(旧版)Media Services v2 (legacy)