Packaging options for encrypted PDFs

Since Acrobat 2.0 in 1994, encryption has been available to protect a PDF document – restricting who can open it and what they can subsequently do with it. Today, there are a number of packaging options for distributing one or more protected PDF files.

Adobe Acrobat and Adobe Reader support a number of encryption and key management systems for protecting a PDF:A. Shared Passwords: Publisher sets a password and the recipient(s) use that same password to open the document.B. Public Key Infrastructure (PKI): Publisher encrypts a document to one or more of the recipient public keys, which can be looked up in a directory or personal address book. Recipient can open the document by using their corresponding private key stored in software or in a hardware token.C. Enterprise Rights Management – Coupled with Adobe’s LiveCycle Rights Management, the author can specify a policy on a document and the recipients authenticate to their organization’s identity management system (LDAP/AD/Kerberos/PKI/etc). Policies can be mapped to an information classification system, like “Company Confidential” or “Insider Restricted”.Each of those mechanisms also support different keysizes (up to AES256) and permissions to restrict some subsequent user actions once the document is open – including modification, clipboard (copy/paste), and printing.Together, those key management and permissions options can be utilized in a few different scenarios to protect one or more documents:1. Persistently protect a single PDFBy opening the PDF in Acrobat, choosing one of the encryption options and corresponding permissions, the file is persistently protected for who can open it and what they can do with it. No matter how many copies of the PDF are made, or how they are stored or distributed, each copy of the PDF keeps the PDF protections in place. While it is technically challenging to prevent any file from being copied and redistributed, the protections attached to the PDF file stay with the document independent of storage and transport. That way, if it ends up somewhere it shouldn’t, the document is still protected from access.Click to see sample 1, the password is: password2. Transport only protection for documents as attachmentsIf you want to protect documents in transport, but don’t want or need the protection after they are received, you can use a PDF document as a protected routing envelope. One PDF can act as the container for other attachments – including PDF and non-PDF formats. By encrypting the outer PDF envelope, it acts as transport encryption for the envelope itself and all of the internal contents. Note that once protected, that outer envelope cannot be viewed without authenticating. Once the recipient authenticates to open that outer document, the envelope text is visible, attachments can be removed and no longer have protection.Click to see sample 2, the password is: password3. Transport protection with persistent protectionIf you want to send multiple documents together in a PDF envelope, and you want those PDF attachments to retain their protections after the outer PDF envelope is opened – then you should protect the PDF files individually before they are attached. You then have an option of encrypting the outer PDF envelope hosting the attachments. If you put something sensitive on that outer PDF envelope, then you should encrypt it. If you don’t care that the outer PDF envelope can be read, then only the individual attachments need be protected before going into that outer PDF envelope.Click to see sample 3a with viewable envelope, the password is: passwordClick to see sample 3b with protected envelope, the password is: password4. Intermittent transport protection of attachments in an envelopeOK, so we don’t have a catchy name for this scenario – but it is a good one. (internally we called it an eEnvelope) Let’s say you don’t want the envelope to be protected, because you want the recipients to see the sender/receiver and maybe even a digital signature on the the envelope. Then let’s say you don’t want the attachments to be persistently protected after they are received. BUT you do want there to be encryption while in transport over email, network, disc, USB token, etc. Yes, this is a possible scenario. First, open your outer PDF envelope. Then import your unencrypted attachments onto that envelope. Now, select the encryption mechanism for the outer PDF envelope and when it says “Select Document Components to Encrypt” – select “Encrypt only file attachments”. This leaves the outer PDF envelope unencrypted and visible but the attachments are encrypted only while attached. No authentication is required to view the first outer PDF envelope. When the recipient clicks to open any of the attachments, that’s when the authentication event takes place to decrypt. NOTE: Once the attachments are opened from the envelope – they are no longer protected! However, if you save the original envelope to your computer, that does keep the protections of the contents. So it’s up to the recipients whether they want to keep the envelope with protected attachments, or just extract the attachments and discard the envelope protection.Click to see sample 4, the password is: passwordThis last scenario is an ideal method for protecting electronic statements in PDF. Recipients can see an unencrypted view of the outside of the envelope, which can include a certifying digital signature attesting to authenticity and integrity of the envelope. Then the envelope is “opened” and the attachments decrypted so they can be stored locally in an unencrypted state. Somewhat similar to papers in a sealed and postmarked envelope.In summary, if you want to:* Protect envelope, with no persistent attachment protections – use scenario 2* Persistently protect attachments in protected or unprotected envelope- use scenario 3* Viewable envelope, with transport protection that’s not persistent to attachments – use scenario 4