Hack 52 Encrypt and Decrypt PDF (Even Without Acrobat) | PDF Hacks: 100 Industrial-Strength Tips & Tools

< Day Day Up >

Restrict who can view your PDF and how they can use it .

You can use PDF encryption to lock a file's content behind a password, but more often it is used to enforce lighter restrictions imposed by the author. For example, the author might permit printing pages but prohibit making changes to the document. Here, we continue from [Hack #2] and explain how pdftk [Hack #79] can encrypt and decrypt PDF documents. We'll begin by describing the Acrobat Standard Security model (called Password Security in Acrobat 6) and the permissions you can grant or revoke.

PDF file attachments get encrypted, too. After opening an encrypted PDF, document file attachments can be opened, changed, or deleted only if the owner granted ModifyAnnotations permission.

Page file attachments behave differently than document file attachments. Once you open an encrypted document, you can open files attached to PDF pages regardless of the permissions. Changing or deleting one of these attachments requires the ModifyAnnotations permission. Of course, if you have the owner password, you can do anything you want.

5.3.1 PDF Passwords

Acrobat Standard Security enables you to set two passwords on a PDF: the user password and the owner password. In Acrobat 6, these are also called the Open password and the Permissions password, respectively.

The user password, if set, is necessary for viewing the document pages. The PDF encryption key is derived from the user password, so it really is required. When a PDF viewer tries to open a PDF that was secured with a user password, it will prompt the reader to supply the correct password.

The owner password, if set, is necessary for changing the document security settings. A PDF with both its user and owner passwords set can be opened with either password, so you should choose both with equal care.

An owner password by itself does not provide any real PDF security. The content is encrypted, but the key, which is derived from the (empty) user password, is known. By itself, an owner password is a polite but firm request to respect the author's wishes. A rogue program could strip this security in a second. See [Hack #66] for additional rights management options.

5.3.2 Standard Security Encryption Strength

If your PDF must be compatible with Acrobat 3 or 4, you must use the weaker, 40-bit encryption strength. Otherwise, use the stronger, 128-bit strength. In both cases, the encryption key is created from the user password, so a good, long, random password helps improve your security against brute force attacks. The longest possible PDF password is 32 characters .

5.3.3 Standard Security Permissions

Set the user password if you don't want people to see your PDF. If they don't have the user password, it simply won't open.

You also have some control over what people can do with your document once they have it open. The permissions associated with 128-bit security (Acrobat 5 and 6) are more precise than those associated with 40-bit security (Acrobat 3 and 4). Tables Table 5-1 and Table 5-2 list all available permissions for each security model, and Figure 5-2 shows the permissions as seen through Acrobat. The tables also show the corresponding pdftk flags to use.

Table 5-1. Permissions available under 40-bit security

To allow readers to . . .	Apply this pdftk permission
Printpages are top quality	Printing
Modify page or document contents,insert or remove pages, rotate pages or add bookmarks	ModifyContents
Copy text and graphics from pages, extract text and graphics data for use by accessibility devices	CopyContents
Change or add annotations or fill form fields with data	ModifyAnnotations
Reconfigure or add form fields	ModifyContents and ModifyAnnotations
All of the above	AllFeatures

Table 5-2. Permissions available under 128-bit security

To allow readers to . . .	Apply this pdftk permission
Printpages are top quality	Printing
Printpages are of lower quality	DegradedPrinting
Modify page or document contents, insert or remove pages, rotate pages or add bookmarks	ModifyContents
Insert or remove pages, rotate pages or add bookmarks	Assembly
Copy text and graphics from pages	CopyContents
Extract text and graphics data for use by accessibility devices	ScreenReaders
Change or add annotations or fill form fields with data	ModifyAnnotations
Fill form fields with data	FillIn
Reconfigure or add form fields	ModifyContents and ModifyAnnotations
All of the above, and top-quality printing	AllFeatures

Figure 5-2. PDF Standard Security features, which help you control how readers use your document

Comparing these two tables, you can see that Assembly is a weaker version ofModifyContents and FillIn is a weaker version of ModifyAnnotations.

DegradedPrinting sends pages to the printer as rasterized images, whereas Printing sends pages as PostScript. A PostScript stream can be intercepted and turned back into (unsecured) PDF, so the Printing permission is a security risk. However, DegradedPrinting reduces the clarity of printed pages, so you should test your document to make sure DegradedPrinting yields acceptable, printed pages.

After setting these permissions and/or a user password, changing them requires the owner password, if it is set.

5.3.4 pdftk and Encrypted Input

When using pdftk on encrypted PDF documents, the owner password must be supplied. If an encrypted PDF has no owner password, the user password must be given instead. If an encrypted PDF has neither password set, no password should be associated with this document when calling pdftk.

Input PDF passwords are listed right after the input filenames, like so:

  pdftk    <input PDF files>    input_pw    <input file passwords>     ...

The file handles assigned in <input PDF files> are used to associate files with passwords in <input file passwords> like so:

   <input PDF handle>    =    <input PDF password>

For example:

 A=foopass

Adding this parameter to our example in [Hack #51] produces:

 pdftk A=in1.pdf B=in2.pdf C=in3.pdf \ input_pw A=foopass cat A1 B1-end C5 output out.pdf

5.3.5 Use pdftk to Encrypt Output

You can encrypt any PDF created with pdftk by simply adding encryption parameters after the output filename, like so:

 ...  output    <output filename>    \   [encrypt_40bit  encrypt_128bit] [allow    <permissions>    ] \   [owner_pw    <owner password>    ] [user_pw    <user password>    ]

Here are the details:

[encrypt_40bit encrypt_128bit]: Specify an encryption strength. If this strength is not given along with other encryption parameters, it defaults to encrypt_128bit .
[allow <permissions>]: List the permissions to grant users. If this section is omitted, no permissions are granted. See Tables Table 5-1 and Table 5-2 for a complete list of available permissions.
[owner_pw <owner password>]: Use this combination to set the owner password. It can be omitted; in which case no owner password is set.
[user_pw <user password>]: Use this parameter to set the user password. It can be omitted; in which case no user password is set.

Adding these parameters to our example in [Hack #51] yields this:

 pdftk A=in1.pdf B=in2.pdf C=in3.pdf \ cat A1 B1-end C5 output out.pdf \ encrypt_128bit allow CopyContents Printing \ owner_pw ownpass

5.3.6 Simply Encrypting or Decrypting a File

The previous examples were in the context of [Hack #51] . Here are examples of simply adding or removing encryption from a single file:

Encrypting a single file

 pdftk A=input.pdf output encrypted.pdf \ encrypt_128bit allow CopyContents \ owner_pw foopass

Decrypting a single file

 pdftk A=encrypted.pdf input_pw A=foopass output decrypted.pdf

< Day Day Up >