Advanced Access Content System (AACS) is part of the Blu-ray DRM and it's an advanced and complex cryptic DRM that works by encrypting the content on the disc using a combination of symmetric and asymmetric key cryptography. AACS was created by a consortium of companies known as the AACS Licensing Authority (AACS LA), which includes major players in the entertainment and tech industry, such as Sony, Disney, Warner Bros. Intel, Microsoft, Panasonic, IBM, and Toshiba. 

Keys

The AACS cryptic system is overwhelmingly complicated to explain. The system employs digital signatures and a key revocation system to protect against unauthorized copying and distribution. It encrypts content under one or more title keys using the Advanced Encryption Standard (AES). To view a BD-ROM, the player must first decrypt the content on the disc. The decryption process is complex. 

The disc contains 4 items—the Media Key Block (MKB), the Volume ID, the Encrypted Title Keys, and the Encrypted Content. Think of the keys like the offline activation keys for DVD-ROM games, except the player is the one reading and activating them, not you. 

AACS decryption process

List of Keys in a Disc

Media Key Block (MKB)
Every commercial Blu-ray contains a Media Key Block (MKB)—a large cryptographic table (~1–4 MB) embedded in the disc’s lead-in area. It holds thousands of encrypted Device Keys and revocation data. When a licensed player inserts the disc, it uses its built-in Device Key to process the MKB and extract a Media Key. New MKB versions (e.g., v77+) are released yearly to revoke leaked or compromised keys, ensuring only authorized hardware can proceed. This is the first gate in AACS decryption.

Volume ID
The Volume ID is a unique 128-bit identifier physically etched into the disc’s Burst Cutting Area (BCA) during manufacturing—a tamper-proof ROM Mark that consumer burners cannot replicate. After solving the MKB, the player combines the Media Key with this Volume ID to compute the Volume Unique Key (VUK). Without reading the BCA, no decryption is possible—even with a valid MKB solution. This ties protection to the physical disc, not just data.

Encrypted Title Keys
Scattered across the disc’s file system are Encrypted Title Keys—one AES-128 encrypted key per movie, playlist, or bonus feature. These are useless until decrypted using the Volume Unique Key (VUK) derived earlier. Once unlocked, they yield the final Title Key, which acts as the direct password to unscramble the actual video and audio streams. This per-title encryption allows studios to protect different cuts or extras with unique keys—all on the same disc.

Encrypted Content
The movie itself—Encrypted Content—is stored as scrambled H.264, HEVC, or VC-1 video and Dolby/ DTS audio, encrypted in AES-128 using the Title Key. During playback, the player decrypts this data on-the-fly in real time, feeding clear streams to the output (HDMI, etc.). If any prior step fails (MKB, Volume ID, or Title Key), the result is unplayable digital noise. This final layer ensures no usable content leaves the player unencrypted.

Key Flow Summary for a Licensed Player

Device Keys (player) 
     ↓
MKB (disc) → Media Key → + Volume ID → VUK → Decrypt Title Key → Decrypt Content

Note: Only Device Keys are pre-installed in hardware. All others are derived per disc at playback. Leaked Device/Processing Keys enable tools like libaacs — but new MKBs revoke them.

 

 Here's an example of a BD-ROM title with unique keys for the 2007 U.S. release of Robocop:

• CPS Unit  Key (Title Key): 2CC3A36907E90C22E0B0B16856DB12AD121991EA
• Volume Unit Key: 98B02655F0A387AFDF636352875E0AB6
• Media Key: 5B90FE346BBF4CA41570D3F25CAD9B4A 

List of Keys in the Player

Device Keys
Device Keys are a set of 16 secret 256-bit cryptographic keys permanently burned into every licensed Blu-ray player or drive during manufacturing. Issued by AACS LA, they are unique per device model and never leave the hardware. When a disc is inserted, the player uses one matching Device Key to decrypt a hidden value inside the Media Key Block (MKB), yielding the Media Key. If the key is revoked (due to leaks), new MKBs simply ignore it—silently blocking playback. These keys are the only part of AACS that truly "belongs" to the player.

Example key: AA856A1BA814AB99FFDEBA6AEFBE1C04 

Processing Key
The Processing Key is a 128-bit key computed on-the-fly by the player while solving the MKB. It acts as an intermediate step: after using a Device Key to extract the Media Key, the player applies additional MKB data to derive the Processing Key. This key is used to decrypt the Encrypted Title Keys on the disc. Unlike Device Keys, it’s not stored—it’s regenerated per session. Leaked Processing Keys (shared online in KEYDB.cfg files) allow tools like libaacs to skip Device Key checks, but new MKB versions revoke them, breaking playback until fresh leaks appear.

Example key: 455FE10422CA29C4933F95052B792AB2 

Directory

The AACS Directory contains the Blu-ray's DRM AACS decryption files:

• Content001.cer: Content Certificate
• Content002.cer: Content Certificate
• ContentHash001.tbl: Content Hash Table
• ContentHash002.tbl: Content Hash Table
• ContentRevocation.lst: Content Revocation List (CRL)
• CPSUnit0000x.cci: CPS Unit Usage files.
• mcmf.xml: Managed Copy Manifest
• MKB_RO.inf: Read-Only Media Key Block.
• MKB_RW.inf: Read/Write Media Key Block.
• SKBx.inf: Sequence Key Block
• Unit_Key_RO.inf: AACS CPS Unit Key.
• DUPLICATE: Directory of duplicated AACS files.

Cracks

There have been several successful unauthorized cracks, including the very famous AACS encryption key controversy🔗 and PS3's compromised private key🔗 in 2007.

 Each year new keys are regularly published which makes this a game of cat and mouse for hackers. Here's the famous encryption key, one of the most banned numbers back in the day: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 . 

 A compromised player can still be used to view old discs, but not newer releases without encryption keys for a compromised player (using the Content Revocation list file). If other players become cracked, revoking access could result in legitimate users of compromised players needing to upgrade or replace their software or firmware to be able to watch new discs.

Many individuals who wish to watch BD-ROMs on their computer typically use either Windows or Linux in conjunction with the VLC player. Although the VLC player can successfully play older physical BD-ROMS (or unencrypted ISO files) with the use of older keys, it is unable to play newer ones without obtaining new keys. The process of obtaining these new keys can prove to be quite challenging.