CENC — Common Encryption — is the standardised way to encrypt video files once so that multiple DRM systems can play them. Without CENC, you'd need a separate encrypted copy of every file for Widevine (Google), FairPlay (Apple) and PlayReady (Microsoft) — tripling your storage and complicating your pipeline. With CENC, the encryption itself is the same across all three, and only the license delivery differs per DRM. One encrypted file, three keys, every device.
The technical setup. CENC encrypts the video using AES (a standard, well-understood cipher) and packages everything in a CENC-compliant container — either MP4 with pssh boxes carrying license metadata or fragmented MP4 for CMAF streams. When a viewer's device plays back, it asks its DRM system (whichever one applies) for a license, decrypts the same content, and plays. The same encrypted segments stream over HLS or DASH equally well.
For a product team in 2026, CENC is the only sensible way to ship DRM video. Building a pipeline without it — one encrypted copy per DRM — is a costly mistake that some early streaming startups made and quickly regretted. Every modern packager (Shaka Packager, AWS MediaPackage, Bitmovin, Unified Streaming) emits CENC-encrypted output by default. The viewer-side license dance is then handled by whichever DRM SDK runs on their device, transparent to the content team. Practical recipe: encrypt once via your packager, configure Widevine + FairPlay + PlayReady license servers (or use a multi-DRM service like Axinom, EZDRM, BuyDRM that gives you all three through one API), done.
