Skip to content
Welcome to the new, unified Livepeer documentation! πŸ‘‹
Upload encrypted VOD content

Encrypted VOD with Livepeer

Livepeer enables you to upload encrypted video content or import it from decentralized storages. It creates a playback URL that can have independent access control through playback policies.

Generate an encryption key

First, we generate a 256-bit encryption key to encrypt the file.

// Generate a random 256-bit key
const key = await window.crypto.subtle.generateKey(
    name: 'AES-CBC',
    length: 256,
  ['encrypt', 'decrypt'],
// Export the key as raw data
const keyData = await window.crypto.subtle.exportKey('raw', key);
// Encode the key in Base64
const keyBase64 = btoa(String.fromCharCode( Uint8Array(keyData)));

Encrypt your video using the encryption key

To encrypt a video file with the key we just generated, we follow these steps:

  1. Generate a random 128-bit initialization vector (IV).
  2. Pad the data using PKCS#7 padding.
  3. Encrypt the data using AES-CBC.
const iv = window.crypto.getRandomValues(new Uint8Array(16));
const encrypted = await window.crypto.subtle.encrypt(
    name: 'AES-CBC',
    iv: iv,
  key, // from generateKey or importKey above
  arrayBuffer, // ArrayBuffer of data you want to encrypt
// Concatenate IV and encrypted file into a new ArrayBuffer
const resultBuffer = new ArrayBuffer(iv.length + encrypted.byteLength);
new Uint8Array(resultBuffer).set(new Uint8Array(iv), 0);
new Uint8Array(resultBuffer).set(new Uint8Array(encrypted), iv.length);
const blob = new Blob([resultBuffer], { type: 'application/octet-stream' });

Currently Livepeer supports only video content encrypted using SubtleCrypto.encrypt (opens in a new tab) with AES-CBC algorithm, which is also the encryption used by other web3 protocols like Lit (opens in a new tab). It can implemented in other environments with regular AES-CBC encryption using PKCS#7 padding.

Retrieve the Livepeer Public Key

After obtaining an encryption key and encrypting a video file with it, the next step is to retrieve the Livepeer Public Key. This key will be used to encrypt our encryption key, which can then be shared with Livepeer when creating a video asset.

// Fetch the public key from Livepeer
const publicKeyResponse = await fetch(
    headers: {
      Authorization: 'Bearer XXXX-XXXXXX-XXXXXXX-XXXX',
const publicKeyData = await publicKeyResponse.json();
const publicKey = publicKeyData.spki_public_key;

Encrypt the encryption key

Now, we can use asymmetric encryption with the Livepeer Public Key to encrypt our Encryption Key. The resulting data is then encoded in base64 before being sent to Livepeer along with the video file.


The Web Cryptography API built into modern browsers does not directly support PEM or PKCS#1 formatted keys. It only supports the SPKI format for public keys and the PKCS8 format for private keys. In Javascript, you need to use the spki_public_key.

// Decode the SPKI public key from base64 and convert it to a buffer
const spkiPublicKey = atob(publicKeyData.spki_public_key);
const publicKeyBuffer = Uint8Array.from(atob(spkiPublicKey), (c) =>
// Import the public key
const publicKey = await window.crypto.subtle.importKey(
    name: 'RSA-OAEP',
    hash: { name: 'SHA-256' },
// Encrypt the key data with the public key
const encryptedKeyData = await window.crypto.subtle.encrypt(
    name: 'RSA-OAEP',
// Base64 encode the encrypted key data
const encryptedKeyBase64 = btoa(
  String.fromCharCode( Uint8Array(encryptedKeyData)),

Upload the video file or Import it from decentralized storages

We're all set to upload the video file.

When requesting an upload to the Livpeer API, you can simply add an encryption field with your encrypted key. Api Reference (opens in a new tab)


When uploading an encrypted video, specifying a playbackPolicy is required. You can still specify the type of the playback policy as public, but be aware that anyone with the playbackId or playbackUrl would be able to watch it.

// Request the upload URL
const response = await fetch(
    method: 'POST',
    headers: {
      Authorization: 'Bearer XXXX-XXXXXX-XXXXXX-XXXX',
      'Content-Type': 'application/json',
    body: JSON.stringify({
      name: 'File name',
      encryption: {
        encryptedKey: encryptedKeyBase64,
      playbackPolicy: {
        // Your playback policy
if (!response.ok) {
  alert('Error requesting upload URL');
const data = await response.json();
// Upload the encrypted file to the returned URL
const uploadResponse = await fetch(data.url, {
  method: 'PUT',
  body: encryptedFile,