blindcast encrypt takes a directory of plain HLS segments (.ts files + .m3u8 manifest), encrypts each segment with AES-128-CBC, and rewrites the manifest with EXT-X-KEY tags pointing at your key server.
Usage
Example
Flags
| Flag | Default | Description |
|---|---|---|
--content-id <id> | (required) | Unique identifier for this content. Used for key derivation. Alphanumeric, hyphens, underscores only. |
--key <hex> | $BLINDCAST_MASTER_KEY | Master key as hex string |
--salt <hex> | $BLINDCAST_SALT | Salt as hex string |
--out <directory> | <input>/encrypted | Output directory for encrypted files |
--key-server-url <url> | http://localhost:4100/keys | Key server URL written into the manifest’s EXT-X-KEY tags |
--json | — | Output results as JSON to stdout |
What happens
- Reads the
.m3u8manifest and all.tssegments from the input directory - Derives a content key from the master key using HKDF-SHA-256 with the content ID as info
- Encrypts each segment with AES-128-CBC using the content key and a derived IV
- Rewrites the manifest, adding
EXT-X-KEYtags withMETHOD=AES-128, the key server URL, and per-segment IVs - Writes encrypted segments and the rewritten manifest to the output directory
IVs
Each segment gets a deterministic IV derived fromSHA-256(contentId + ":" + segmentIndex), truncated to 16 bytes. This prevents chosen-plaintext attacks while keeping IVs reproducible (no random state to store).
Content ID rules
The--content-id value:
- Must be 1–256 characters
- Only alphanumeric characters, hyphens (
-), and underscores (_) - Is used as the HKDF info parameter — different content IDs produce different keys from the same master key
Preparing HLS segments
The CLI encrypts pre-existing HLS segments. To create HLS segments from a video file, use FFmpeg:segments/manifest.m3u8 with seg-0.ts, seg-1.ts, etc. Then encrypt them with blindcast encrypt ./segments --content-id my-video.