You can specify encryption settings for any output files that you want to use for a transcoding job. This includes the output file and any watermarks, thumbnails, album art, or captions that you want to use.
You must specify encryption settings for each file individually.
Output Encryption
The encryption settings, if any, that you want Elastic Transcoder to apply to your output files. If you choose to use encryption, you must specify a mode to use. If you choose not to use encryption, Elastic Transcoder will write an unencrypted file to your Amazon S3 bucket.
(Required for file-level Encryption) Encryption Mode
The specific encryption mode that you want Elastic Transcoder to use when encrypting your output files individually. Elastic Transcoder supports the following Encryption Mode options:
• s3: Amazon S3 creates and manages the keys used for encrypting your files.
For more information, see Protecting Data Using Server-Side Encryption in the Amazon Simple Storage Service User Guide.
• s3-aws-kms: Amazon S3 calls AWS KMS, which creates and manages the keys that are used for encrypting your files. If you specify s3-aws-kms and you don't want to use the default key, you must add the AWS-KMS key that you want to use to your pipeline.
For more information, see Protecting Data Using Server-Side Encryption with AWS KMS-Managed Keys in the Amazon Simple Storage Service User Guide.
• aes-cbc-pkcs7: A padded cipher-block mode of operation.
• aes-ctr: AES Counter Mode.
• aes-gcm: AES Galois Counter Mode, a mode of operation that is an authenticated encryption format, meaning that a file, key, or initialization vector that has been tampered with will fail the decryption process.
If you chose one of the AES-encryption modes, you must also specify the following three values (all three must be base64-encoded):
• Encryption Key
• Encryption Key MD5
• Encryption Initialization Vector
If you chose one of the AES-encryption modes, and you want Elastic Transcoder to generate a 128-bit AES encryption key for you, do not specify values for the Encryption Key, Encryption Key MD5, or Encryption Initialization Vector. Once Elastic Transcoder has generated the key, you can retrieve the key by calling ReadJob. The key is not included in the CreateJobResponse object.
Important
For the AES modes, your media-specific private encryption keys and your unencrypted data are never stored by AWS; therefore, it is important that you safely manage your encryption keys. If you lose them, you won't be able to decrypt your data.
(Optional) Encryption Key
If you want Elastic Transcoder to generate a key for you, leave this field blank. Once Elastic Transcoder has generated the key, you can retrieve the key by calling Read Job. The key is not included in the Create Job Response object.
If you choose to supply your own key, you must encrypt the key by using AWS KMS. The key must be base64-encoded, and it must be one of the following bit lengths before being base64-encoded:
96 (AES-GCM only), 128, 192, or 256.
If you configured Elastic Transcoder to generate a key for you, Elastic Transcoder leaves this field blank in the Create Job response. To retrieve your generated data encryption key, submit a Read Job request.
For more information about encrypting your key with AWS KMS, see Encrypting and Decrypting Data in the AWS Key Management Service Developer Guide.
(Required if an Encryption Key is supplied) Encryption Key MD5
The MD5 digest of the key that you want Elastic Transcoder to use to encrypt your output file, and that you want Elastic Transcoder to use as a checksum to make sure your key was not corrupted in transit. The key MD5 must be encoded, and it must be exactly 16 bytes before being base64-encoded.
If Elastic Transcoder is generating your key for you, you must leave this field blank.
(Required if an Encryption Key is supplied) Encryption Initialization Vector
The series of random bits created by a random bit generator, unique for every encryption operation, that you want Elastic Transcoder to use to encrypt your output files. The initialization vector must be base64-encoded, and it must be exactly 16 bytes before being base64-encoded.
If Elastic Transcoder is generating your key for you, you must leave this field blank.
For more information, go to Initialization Vector.
(Video/Thumbnails Only) Watermarks
Information about the watermarks that you want Elastic Transcoder to add to the video during transcoding. You can specify up to four watermarks for each output. Settings for each watermark must be defined in the preset that you specify in Preset for the current output.
Watermarks are added to the output video in the sequence in which you list them in the job output—
the first watermark in the list is added to the output video first, the second watermark in the list is added next, and so on. As a result, if the settings in a preset cause Elastic Transcoder to place all watermarks in the same location, the second watermark that you add will cover the first one, the third one will cover the second, and the fourth one will cover the third.
For more information about watermarks, see Watermarks (p. 88).
Preset Watermark ID
The ID of the watermark settings that Elastic Transcoder uses to add watermarks to the video during transcoding. The settings are in the preset specified by Preset for the current output. In that preset, the value of Watermarks Id tells Elastic Transcoder which settings to use.
Input Key for Preset Watermark Id
The name of the .png or .jpg file that you want to use for the watermark. To determine which Amazon S3 bucket contains the specified file, Elastic Transcoder checks the pipeline specified by Pipeline; the Input Bucket object in that pipeline identifies the bucket.
If the file name includes a prefix, for example, logos/128x64.png, include the prefix in the key. If the file isn't in the specified bucket, Elastic Transcoder returns an error.