It's not entirely necessary for the original aim of this project, but should be interesting to implement.
There should be an ability to mark a specific stream as requiring encryption. When a client first requests the manifest for that stream, a session ID and encryption key should be created (in memcache maybe?)
The manifest should then be rewritten to include
- a URL the decryption key can be obtained from (as well as the IV etc)
- Each segment reference should have a query string appended including the session ID
When a segment is requested, the session ID should be extracted and the key used to encrypt the segment on the fly before passing downstream.
The behaviour needs to be sane in terms of what happens if a session ID isn't included in the request for a segment (refuse to serve maybe?)
Also need to make sure that we don't generate a new session ID (and by extension, key) every time the manifest is re-requested.