# Deploying SPEKE
<a name="encryption-deploying-speke"></a>

Your digital rights management (DRM) solution provider can help you get set up to use DRM encryption in MediaPackage. Generally, the provider gives you a SPEKE gateway to deploy in your AWS account in the same AWS Region where MediaPackage is running. Along with configuring your origin endpoints with the right encryption settings, you must [configure event notifications](https://docs.aws.amazon.com/mediapackage/latest/ug/cloudwatch-events-notification.html) for the [key provider events](https://docs.aws.amazon.com/mediapackage/latest/ug/cloudwatch-events-example.html#key-provider-state-events) that MediaPackage is generating as CloudWatch Events. For information about configuring encryption settings for your endpoint, see the applicable section for your protocol: [HLS encryption fields](https://docs.aws.amazon.com/mediapackage/latest/ug/endpoints-hls-encryption.html), [MSS encryption fields](https://docs.aws.amazon.com/mediapackage/latest/ug/endpoints-smooth-encryption.html), [CMAF encryption fields](https://docs.aws.amazon.com/mediapackage/latest/ug/endpoints-cmaf-encryption.html), and [DASH encryption fields](https://docs.aws.amazon.com/mediapackage/latest/ug/endpoints-dash-encryption.html).

If you must build your own API Gateway to connect MediaPackage to your key service, you can use the [SPEKE Reference Server](https://github.com/awslabs/speke-reference-server) available on GitHub as a starting point.