Shaka Packager supports fetching encryption keys from Widevine Key Server and PlayReady Key Server. Shaka Packager also supports Raw Keys, for which keys are provided to Shaka Packager directly.

Regardless of which key server you are using, you can instruct Shaka Packager to generate other protection systems in additional to the native protection system from the key server. This allows generating multi-DRM contents easily.

Configuration options

General encryption options

--protection_scheme <scheme>
 Specify a protection scheme, ‘cenc’ or ‘cbc1’ or pattern-based protection schemes ‘cens’ or ‘cbcs’.
--vp9_subsample_encryption, --novp9_subsample_encryption
 Enable / disable VP9 subsample encryption. Enabled by default.
--clear_lead <seconds>
 Clear lead in seconds if encryption is enabled.
 Protection systems to be generated. Supported protection systems include Widevine, PlayReady, FairPlay, Marlin, and CommonSystem (https://goo.gl/s8RIhr).

Widevine encryption options

 Enable encryption with Widevine key server. User should provide either AES signing key (–aes_signing_key, –aes_signing_iv) or RSA signing key (–rsa_signing_key_path). This generates Widevine protection system if –protection_systems is not specified. Use –protection_systems to generate multiple protection systems.
 Enable decryption with Widevine key server. User should provide either AES signing key (–aes_signing_key, –aes_signing_iv) or RSA signing key (–rsa_signing_key_path).
--key_server_url <url>
 Key server url. Required for Widevine encryption and decryption.
--content_id <hex>
 Content identifier that uniquely identifies the content.
--policy <policy>
 The name of a stored policy, which specifies DRM content rights.
--max_sd_pixels <pixels>
 The video track is considered SD if its max pixels per frame is no higher than max_sd_pixels. Default: 442368 (768 x 576).
--max_hd_pixels <pixels>
 The video track is considered HD if its max pixels per frame is higher than max_sd_pixels, but no higher than max_hd_pixels. Default: 2073600 (1920 x 1080).
--max_uhd1_pixels <pixels>
 The video track is considered UHD1 if its max pixels per frame is higher than max_hd_pixels, but no higher than max_uhd1_pixels. Otherwise it is UHD2. Default: 8847360 (4096 x 2160).
--signer <signer>
 The name of the signer.
--aes_signing_key <hex>
 AES signing key in hex string. aes_signing_iv is required if aes_signing_key is specified. This option is exclusive with rsa_signing_key_path.
--aes_signing_iv <hex>
 AES signing iv in hex string.
--rsa_signing_key_path <file path>
 Path to the file containing PKCS#1 RSA private key for request signing. This option is exclusive with aes_signing_key.
--crypto_period_duration <seconds>
 Defines how often key rotates. If it is non-zero, key rotation is enabled.
--group_id <hex>
 Identifier for a group of licenses.

Raw key encryption options

 Enable encryption with raw key (keys provided in command line)). This generates Common protection system if neither –pssh nor –protection_systems is specified. Use –pssh to provide custom protection systems or use –protection_systems to generate protection systems automatically.
 Enable decryption with raw key (keys provided in command line).
--keys <key_info_string[,key_info_string][,key_info_string]…>

key_info_string is of the form:


label can be an arbitrary string or a predefined DRM label like AUDIO, SD, HD, etc. Label with an empty string indicates the default key and key_id. The drm_label in Stream descriptors, which can be implicit, determines which key info is applied to the stream by matching the drm_label with the label in key info.

key_id and key should be 32-digit hex strings.

--iv <16-digit or 32-digit hex string>
 IV in hex string format. If not specified, a random IV will be generated. This flag should only be used for testing. IV must be either 8 bytes (16 digits HEX) or 16 bytes (32 digits in HEX).
--pssh <hex string>
 One or more concatenated PSSH boxes in hex string format. If neither this flag nor –protection_systems is specified, a v1 common PSSH box will be generated.