DRM DRM
  1. Iconik
  2. Knowledgebase
  3. Knowledgebase

DRM

Knowledgebase

See all 19 articles

Iconik has implemented Digital Rights Management using Castlabs DRM. The implementation protects externally shared video content by packaging DRM-enabled streaming outputs (DASH + HLS) and issuing licenses at playback time via Castlabs DRMToday. DRM is applied to Shares, not to originals “at rest” in Iconik.

In practice, when DRM is enabled:

  • Share playback is restricted to the Iconik web player (no direct file download of the playable stream).
  • Access can be revoked by disabling the Share (license acquisition will fail).

  • DRM is supported on major browsers and in iOS (noting that Safari and iOS require customers to provide their own "Fairplay" DRM credentials)

     

NB: DRM is a paid add-on available to Iconik Enterprise and Pro customers, it's not available by default. If you want to enable DRM as part of our Pro/Enterprise security add-on, contact your sales or customer success manager for more information and pricing.

When is DRM applied?

Protected

  • Share content (the proxy/stream served to recipients).
  • DRM enforcement is controlled by system settings and (optionally) user/group policies, and is applied to Share content, ie share proxies

Not encrypted by DRM

  • Original files in Iconik are not DRM-packaged. Originals remain usable outside Iconik (downloads, external workflows) and are protected via authentication/authorization (ACLs, 2FA, etc.) rather than DRM.

User-facing configuration (Admin)

DRM is an admin-controlled setting surfaced in System settings alongside watermarking, as part of the “Enterprise security” section

Key behaviours:

  • DRM is default off.
  • When enabled, users see DRM/protection indicators in share-related UI (share creation modal, share lists, etc.)
  • The optional "Require Hardware DRM" setting is an option to allow output to external monitors, while still preserving DRM controls over screen sharing etc
Screenshot 2026-06-18 at 8.20.45 am.png

End-to-end flow (high level)

  1. Admin enables DRM in System settings.
  2. A user creates a share link for one or more video assets.
  3. Iconik generates/serves a DRM-enabled stream for the share:
    • Creates both Widevine and FairPlay outputs (DASH + HLS playlists).
    • Playback uses encrypted segments; the player requests a license during playback.
  4. During playback, the player:
    • Calls Iconik endpoints to obtain authorization + DRM playback context.
    • Requests a DRM license from Castlabs DRMToday using tokenized requests.
  5. Castlabs returns a license (or denies), and playback proceeds (or fails) accordingly.

Castlabs / DRMToday requirements

Widevine

  • No customer-specific certificates are typically required from the customer side (handled via Castlabs account/config).

FairPlay (customer action required)

For Apple FairPlay, customers must obtain and provide FairPlay credentials (FPS Deployment Package details) for their tenant. This is an Apple/Fairplay restriction, not one set by Iconik. The team can work with the customer to step through the requirements.

Customers will need to supply:

  • FPS certificate (.der/.cer)
  • Private key (.pem) + password
  • Application Secret Key (ASK)

Operational notes / troubleshooting

“Why doesn’t this work on Safari?”

Common causes:

  • FairPlay credentials not provided / misconfigured for the tenant.
  • Asset/share generated before a config change; re-generation may be required in some cases.

“Why is Chrome going to the wrong license server?”

  • Ensure the environment is returning the correct license server URL (staging vs prod), and pods have been restarted after config changes when needed.

Expected behaviour when access is revoked

  • License requests should fail and playback should stop / refuse to start.