Glossary entry · Encryption
AES-128 (HLS Stream Encryption)
The cipher most commonly used to encrypt HLS segments. Lightweight, easy to deploy, and not DRM. AES-128 protects against casual scraping but not against a determined client with the key.
Definition
AES (Advanced Encryption Standard) is a symmetric block cipher standardized in 2001 by NIST as FIPS 197. The number 128 specifies the key length in bits. AES-128 is the default key length the cipher supports and is widely considered secure for general-purpose data protection.
When the HLS specification mentions AES-128, it means a very specific construction: AES-128 in CBC mode with a 16-byte initialization vector and PKCS#7 padding applied to each segment. The full mechanics are described in section 4.3.2.4 of RFC 8216.
How AES-128 protects HLS segments
The protection model is straightforward. Every .ts or .m4s segment in a media playlist is encrypted independently. The encryption is applied to the full segment bytes before they are written to disk on the origin server. The encrypted segment is what the CDN caches and what a client downloads. Decryption happens inside the player after the segment finishes downloading and before it is fed to the decoder.
The key is not embedded in the segment. The playlist references the key through a URI attribute, and the player fetches the key with a normal HTTP request. Access control is enforced by the server hosting the key: a token, signed URL, or session cookie typically gates the key download. This separation is the entire security model. If the key URL is unprotected, anyone who reads the playlist can decrypt the stream.
The EXT-X-KEY tag and key file format
The EXT-X-KEY tag appears in the media playlist before the segments it applies to. A typical declaration looks like this:
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/master.key",IV=0x00000000000000000000000000000001The attributes break down as follows:
- METHOD: the encryption method. The only practical value here is
AES-128.NONEmeans subsequent segments are not encrypted, which is how playlists switch between encrypted and clear ranges. - URI: the absolute or relative URL to the key file. The key file is a binary file containing exactly 16 bytes, the raw AES key. No header, no JSON, no base64. Just the bytes.
- IV: the initialization vector for CBC mode, expressed as a 32-character hex string prefixed with
0x. Optional; if omitted, the player derives the IV from the segment's media sequence number. - KEYFORMAT: identifies the key system. Defaults to
identity(the simple binary key described above). Other values likecom.apple.streamingkeydeliveryindicate FairPlay DRM and require a license server exchange.
When a player encounters an EXT-X-KEY tag, it fetches the key file once (cached for the rest of the session by default) and then decrypts every following segment with that key until another EXT-X-KEY tag overrides it.
CBC mode and the IV
AES in Cipher Block Chaining (CBC) mode encrypts data in 16-byte blocks. Each block is XORed with the previous block's ciphertext before encryption. The very first block has no previous ciphertext, so it is XORed with an initialization vector instead.
For HLS, the IV is either explicitly declared in the playlist, or implicitly derived as the 16-byte big-endian representation of the segment's media sequence number. The implicit derivation has the convenient property that every segment uses a unique IV without the playlist having to spell it out for every single segment.
PKCS#7 padding is applied so that the segment length becomes a multiple of 16 bytes. The decoder strips the padding after decryption. If you ever try to decrypt an HLS segment by hand and the result is corrupted, padding handling is usually the bug.
Limits vs DRM (no Widevine)
AES-128 in HLS is encryption, not DRM. The difference is enforcement. A DRM system like Widevine, PlayReady, or FairPlay relies on a trusted execution environment on the client device: a chip or kernel module that handles the decryption key without ever exposing it to ordinary application code. The license exchange is signed by hardware-rooted certificates.
Plain AES-128 has none of that. The key is a flat 16-byte file fetched over HTTP. If a client has permission to play the video, it can read the key from memory and decrypt the segments. This is why AES-128 is acceptable for course platforms with paid access (the cost of stealing is higher than buying access) but inadequate for premium Hollywood content that requires DRM-grade protection.
In practical terms, if your HLS playlist uses METHOD=AES-128 and a key URL you can fetch, a tool like Vidora can decrypt and download the stream. Our deep technical guide on AES-128 HLS download mechanics walks through the math step by step, and our action-focused walkthrough on downloading encrypted M3U8 covers the end-user workflow. If the playlist instead uses METHOD=SAMPLE-AES with a FairPlay keyformat or you see Widevine PSSH boxes in a DASH manifest, you have hit DRM and consumer tools cannot help.