How to prepare an HLS encrypted video with FFmpeg

We had an interesting conversation this week with one of our pro users who wanted to post an encrypted HLS video via FV Coconut but did not want to create a Digital Ocean Spaces account. Coconut.co requires that video publishers have an online destination where it can store the files. S3 is one of the accepted destinations, Digital Ocean Spaces is an S3 clone but much less expensive and easier to use and manage. Since Coconut.co requires an account, we created a simple ffmpeg script to allow publishers to prepare one-off encrypted HLS videos without a Coconut.co account.

FV Player Coconut remains our recommended solution for creating an effective publisher workflow for encrypting videos for the web. But there should be a simple open source way as well. Here it is.

We created a shell script using FFmpeg to let you encode a MP4 video to encrypted HLS stream. It’s mainly for Mac and Linux users as it uses bash. Windows users can install WSL to run bash scripts.¹

#!/bin/bash

# Check if all required arguments are provided
if [ $# -ne 3 ]; then
    echo "Usage: $0 <input_file> <target_video_name> <wordpress_site_url>"
    echo "Example: $0 video.mp4 my-ffmpeg-video https://my-website.com"
    exit 1
fi

INPUT_FILE="$1"
TARGET_VIDEO_NAME="$2"
WEBSITE_URL="$3"
OUTPUT_DIR="${TARGET_VIDEO_NAME}"

# Ensure WEBSITE_URL is URL
if [[ ! "$WEBSITE_URL" =~ ^https?:// ]]; then
  WEBSITE_URL="https://$WEBSITE_URL"
  echo "WEBSITE_URL is not a valid URL, adding https:// prefix"
fi

# Create output directory if it doesn't exist
mkdir -p "$OUTPUT_DIR"

# Generate encryption key
ENCRYPTION_KEY=$(openssl rand 16 | xxd -p)
echo "Generated encryption key (hex): $ENCRYPTION_KEY"

# Create encryption.key file
echo "$ENCRYPTION_KEY" | xxd -r -p > "$OUTPUT_DIR/encryption.key"

# Create keyinfo.txt
echo "${WEBSITE_URL}/?fv_player_hls_key=${TARGET_VIDEO_NAME}" > "$OUTPUT_DIR/keyinfo.txt"
echo "$OUTPUT_DIR/encryption.key" >> "$OUTPUT_DIR/keyinfo.txt"

# Run ffmpeg command
ffmpeg -i "$INPUT_FILE" -hls_key_info_file "$OUTPUT_DIR/keyinfo.txt" -hls_time 10 -hls_list_size 0 -hls_segment_filename "$OUTPUT_DIR/v%v/segment%d.ts" -filter_complex "[0:v]split=2[v0][v1];[v0]scale='min(960,iw)':'min(540,ih)':force_original_aspect_ratio=decrease[v540];[v1]scale='min(1920,iw)':'min(1080,ih)':force_original_aspect_ratio=decrease[v1080]" -map "[v540]" -map "[v1080]" -map a:0 -map a:0 -c:v:0 libx264 -b:v:0 2000k -c:v:1 libx264 -b:v:1 5000k -c:a:0 aac -b:a:0 128k -c:a:1 aac -b:a:1 128k -var_stream_map "v:0,a:0 v:1,a:1" -f hls -master_pl_name master.m3u8 -hls_playlist_type vod "$OUTPUT_DIR/v%v/playlist.m3u8"

# Delete the keyinfo.txt and encryption.key files
rm "$OUTPUT_DIR/keyinfo.txt"
rm "$OUTPUT_DIR/encryption.key"

echo "Processing complete!"
echo "Output directory: $OUTPUT_DIR"
echo "Encryption key (hex): $ENCRYPTION_KEY"

For our test we used FFmpeg version 7.1.1 with libx264 available. You can run ffmpeg -encoders 2>&1 | grep libx264 to see if you have it installed.

We also count on FV Player Pro to ensure only the authorized users get the video decryption key. It works as an added layer of protection on top of the standard encrypted HLS. FV Player Pro also gives you the DRM watermark.

To use the script without FV Player Pro you would have to find some other way of storing the encryption key on your server in a way that HLS engine can access it to decrypt the video.

Usage

1. Save the script to your computer as encrypt-video.sh
2. Make sure it can be executed using chmod u+x encrypt-video.sh
3. Run the command like this:

./encrypt-video.sh <input_file> <target_video_name> <wordpress_site_url>

Example:

./encrypt-video.sh ~/Documents/Videos/my-video.mp4 my-video my-website.com 

4. The command will run for a while (might be about 1 or 2x the duration of the video). You will see all the FFmpeg output.

5. At the end you should see the output similar to following:

Processing complete!
Output directory: output_dominika-960-31
Encryption key (hex): c8152649e3d18b8c40f1508167637b95

You will see a different random “Encryption key”. You will need it for FV Player Pro in step 9. in order to be able to play the video.

6. Upload the resulting folder to your web host or CDN.
7. Make sure CORS headers are set.

If you are using your server with Apache, use this in .htaccess:

# CORS headers for .ts and .m3u8 files
<FilesMatch ".(ts|m3u8)$">
    Header add Access-Control-Allow-Origin "*"
    Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
    Header add Access-Control-Allow-Methods "GET, OPTIONS"
</FilesMatch> 

8. Enter the following in FV Player Editor as the “Video Link”:

https://your-cdn-or-server.com/your-video-path/{your video name}/master.m3u8

9. FV Player Editor will save your video and show the “Encrypted HLS” field. Put the “Encryption key” from step 5. into it.

10. The video should play. In case of issues verify that the CORS header are really present.

This way you can encrypt your videos anywhere and store them anywhere without having to use Coconut.co and DigitalOcean at all.

Obviously the downside is that it does not integrate into your WordPress interface and you have to run the command and upload your stream by hand.

Martin Viceník

Martin graduated as an engineer in Computer Science from Slovak Technical University in Bratislava. He grew up in Liptovský Mikuláš in northern Slovakia next to the beautiful Tatra mountains. He is the developer behind our FV Player.