Securing a video delivery pipeline requires coordinating multiple technical layers, including transcoding, encryption, key management, and license delivery, each of which introduces potential failure points if handled by disconnected systems. For OTT platforms, live sports broadcasters, and subscription services, gaps in any of these layers can result in unauthorized access, content redistribution and the kind of piracy that’s difficult to detect and act on quickly.
In fact, cumulative losses to piracy for U.S. streaming video providers are projected to surpass $113 billion by the end of 2027, according to research from Parks Associates. For platforms that distribute premium or live content, the exposure is concentrated: a single leaked stream from a high-value event can circulate across redistribution networks within minutes of going live. Technical controls at the pipeline level, such as encryption, watermarking, and real-time license monitoring, are the primary mechanism for limiting that exposure and enabling enforcement when leaks occur.
To show exactly how a fully secure video pipeline comes together in practice, DoveRunner partnered with Qencode for a hands-on webinar demonstrating how DoveRunner’s Multi-DRM and Forensic Watermarking integrate directly into the Qencode transcoding workflow.
The Problem with Stitching Tools Together
When transcoding, encryption and key management are handled by separate vendors, each integration point becomes a potential source of latency or misconfiguration. Debugging issues across disconnected systems is time-intensive, and coordinating real-time piracy response across multiple vendors adds operational complexity that can slow detection and action.
The DoveRunner and Qencode integration addresses this by combining transcoding and content security into a single coordinated workflow. Qencode handles source video ingestion, transcoding, packaging into HLS and DASH, and CDN delivery. DoveRunner manages encryption, license delivery, watermarking, and anti-piracy tooling. Because the two systems are pre-integrated, the handoffs between encoding and security happen without custom middleware or manual coordination.
Step One: Multi-DRM Encryption
Multi-DRM encryption is the baseline requirement for protecting video content across the range of devices and platforms viewers use today. It ensures that only authenticated players with valid licenses can decrypt and play protected streams, using DRM systems such as Widevine, PlayReady, and FairPlay depending on the device and browser environment.
Here’s how the encryption flow works in the DoveRunner and Qencode integration:
- The CMS or workflow pipeline calls DoveRunner’s Key Management Service (KMS) to retrieve encryption keys.
- Those keys are passed into Qencode, which transcodes, encrypts, and packages the content into DASH or HLS format and pushes it to the CDN.
- When a viewer initiates playback, their media player detects the encrypted content and sends a DRM license request to DoveRunner’s license manager.
- The license is returned, the content decrypts, and playback begins.
The entire exchange is transparent to the viewer and happens within the normal player startup sequence. In the webinar demo, this flow was triggered via a Python script that called DoveRunner’s CPX API to retrieve encryption keys and launch a Qencode transcoding job with DRM encryption enabled. Playback was then verified in the Qencode player using DoveRunner’s Widevine license endpoint and a generated license token. The integration also supports concurrent stream limiting and real-time analytics at the license level.
Step Two: Forensic Watermarking
Forensic watermarking embeds an invisible, session-specific identifier into every video stream, enabling leaked content to be traced back to the originating viewer session. The watermark is imperceptible during playback and is designed to persist through common post-processing operations such as cropping, transcoding, and re-encoding.
DoveRunner’s watermarking implementation has been validated through 155 independent tests conducted by a third-party auditor. The technical approach uses an A/B server-side watermarking model. During transcoding, Qencode produces two versions of the content: Variant A (symbol 0) and Variant B (symbol 1), each carrying a different embedded pattern. Both variants are identical in resolution, bitrate, and segment structure.
At playback, DoveRunner’s Session Manager API accepts a viewer identifier and returns a session URL that instructs the CDN to mix segments from Variant A and Variant B in a unique sequence for that session, producing a distinct binary fingerprint per viewer. Because segment mixing happens at the CDN edge rather than at encode time, the approach scales across large concurrent viewer counts for both live events and VOD without additional encoding overhead. It is also device-agnostic — no per-device integration is required, and it functions across browsers, mobile apps, and smart TVs using the same configuration.
In the webinar demo, forensic watermarking was enabled via a setting in the Qencode portal under transcoding configuration, with DoveRunner watermark credentials supplied. The output was two structurally identical HLS folders in the destination bucket, ready for CDN segment mixing. When suspicious content is identified, DoveRunner’s detection module can analyze an uploaded file or a live stream URL and extract the embedded session identifier, narrowing the source of a leak to a specific viewer session.
A Complete Pipeline
The DoveRunner and Qencode integration functions as a coordinated pipeline rather than a collection of independently managed tools. DoveRunner handles key management, license delivery, watermark session management, and leak detection.
Qencode handles transcoding, encryption, and packaging. The CDN manages segment mixing at the edge. Each component operates within a defined role, with handoffs between them handled through the integration rather than custom middleware.
For teams evaluating how to add content security to an existing Qencode workflow, the integration is available directly through the Qencode portal. DoveRunner’s Multi-DRM and Forensic Watermarking can be enabled without migrating to a new transcoding stack.
The companion guide from the webinar covers API references, sample scripts, and step-by-step setup instructions for both Multi-DRM and Forensic Watermarking within a Qencode workflow.