Skip to main content
blindcast encrypt takes a directory of plain HLS segments (.ts files + .m3u8 manifest), encrypts each segment with AES-128-CBC, and rewrites the manifest with EXT-X-KEY tags pointing at your key server.

Usage

Example

Flags

What happens

  1. Reads the .m3u8 manifest and all .ts segments from the input directory
  2. Derives a content key from the master key using HKDF-SHA-256 with the content ID as info
  3. Encrypts each segment with AES-128-CBC using the content key and a derived IV
  4. Rewrites the manifest, adding EXT-X-KEY tags with METHOD=AES-128, the key server URL, and per-segment IVs
  5. Writes encrypted segments and the rewritten manifest to the output directory

IVs

Each segment gets a deterministic IV derived from SHA-256(contentId + ":" + segmentIndex), truncated to 16 bytes. This prevents chosen-plaintext attacks while keeping IVs reproducible (no random state to store).

Content ID rules

The --content-id value:
  • Must be 1–256 characters
  • Only alphanumeric characters, hyphens (-), and underscores (_)
  • Is used as the HKDF info parameter — different content IDs produce different keys from the same master key

Preparing HLS segments

The CLI encrypts pre-existing HLS segments. To create HLS segments from a video file, use FFmpeg:
This creates segments/manifest.m3u8 with seg-0.ts, seg-1.ts, etc. Then encrypt them with blindcast encrypt ./segments --content-id my-video.