How to protect a PDF securely

Why Adobe PDF password protection is useless & secure DRM alternatives.

PDFs were created to be highly shareable, and they have succeeded in that mission.  Adobe estimates that billions of PDF files are created each day, with many of them shared via email, uploaded to a cloud storage service, or sent via a workplace chat app.  What PDFs have not succeeded in, however, is security.  In their default form (and when password protected), the contents of a PDF file can easily be read, modified, copied, and stolen.  Today, we’ll show you how to protect a PDF to mitigate this risk.

   What is PDF protection?

PDF protection refers to measures applied to a PDF to restrict who can view, edit, and copy the document.  This usually includes encryption, which is used to make the file unreadable to those without a valid password or certificate.

There are two primary types of PDF protection:

1. Adobe PDF protection or similar software which uses passwords to protect PDF files
2. PDF DRM

It’s key that you understand the difference between these types so you can make an informed decision about what’s best for you.

The first thing you should recognize is that Adobe PDF should not be used for PDF protection outside of a casual setting.  It definately should not be used for the protection of sensitive or confidential documents.  As well as using outdated and fallible password protection, flaws in its protection mechanisms make it trivial to remove any printing, editing, and copying restrictions and watermarks.  Its password-based decryption provides surface-level security that only really acts as a deterrent for non-technical users.

Locklizard’s PDF DRM uses much more advanced protection mechanisms that do not require the use of a password and cannot be removed by third-party software.  Strong encryption, combined with a secure viewer application and a licensing and transparent key management system ensures only those authorized can view, copy, or print the contents of a PDF – no matter where the document is published.

As only the latter will provide any real protection to a PDF, it’s what we’ll be focusing on today.  However, we will briefly show you how to protect a PDF with Adobe Acrobat protection to better explain its flaws.

  Creating a password protected PDF with Adobe Acrobat

Though it has many flaws, applying password protection with Adobe Acrobat is at least relatively simple.  After opening your document in the software, perform the following steps to password-protect a PDF:

1. Press the shield icon in the right sidebar of Adobe Acrobat.
   
2. Press “Advanced Options” in the top bar, then “Security Properties”.
   
3. Set the “Security Method” to “Password Security” and press “Change Settings…”.
   
4. Add a Permissions and/or Open Password.  Make sure you choose a strong password.
   
5. Press “File > Save as…” to encrypt and save the protected PDF.
   

Why Adobe PDF password protection is ineffective

The big issue when you password protect a PDF is how the document open and document permissions system works.  In summary:

1. Users can share the open password with others, or just remove it once they know it.  If they don’t know it, then the open password needs a paid tool to brute force and crack it.
2. Once a user knows the open password, they can remove the permissions password by uploading the protected PDF to a freely available online tool.  Or they can just use a PDF reader application that ignores these permissions.  This means that you’re handing anybody who you let open the PDF document full control over it, including printing, editing, and copying and removal of watermarks.

As a result, Adobe PDF encryption is only a protection against unauthorized viewing, and a flimsy, password-based one at that.  There is also evidence to suggest that relying on password-protected PDFs could negatively impact an organization’s overall security posture.  Bad actors such as Kremlin-backed hacking group Star Blizzard have used password-protected PDFs to bypass email filters.  These PDF documents typically contain exploits for Adobe Reader that enable the download of malware such as MiniDuke, which is used to exfiltrate data and install secondary malware.

   Creating a protected PDF with Locklizard

Creating a protected PDF with Locklizard is as simple as Adobe Acrobat yet provides a much higher level of protection and far more modularity in its restrictions.  Here’s how to protect a PDF from editing and copying using Safeguard DRM software:

1. Right-click on a PDF on your desktop and select “Make secure PDF”.
   
2. Protect the PDF from copying by ticking the relevant controls.  We recommend that you add a watermark to discourage sharing.  Safeguard creates permanent dynamic watermarks that identify users.
   
3. Locklizard PDF will automatically protect a PDF reader from copying text and images, but you may want to take additional steps to protect your PDF from screen capture.  Without screen capture protection, a user can screengrab your PDF and import it into an optical character recognition tool to make the text editable.  To prevent this, open the “Environment Controls” tab and tick “Disallow screen capture” and optionally “Add screen mask” which covers the viewer window with an image if focus is moved away from it.
   
4. Press the “Publish” button at the bottom of the dialog.
   
   Locklizard will automatically protect a PDF from editing on publication for anybody who has access to it.  This restriction cannot be bypassed, and as the user cannot make a copy of the document, they won’t be able to clone it and edit that, instead.  On publication, your document will output to its source folder in the .pdc file format and you can safely share it knowing that nobody can access it without a valid license.
5. Add a user account and send them their license via the Safeguard admin portal.
   
   With the PDF published, you’ll need to send your recipients the encrypted .pdc file, alongside a download link for the secure PDF reader application and a valid license.  The simplest way of doing so is by ticking “Email license” when you add a new user.  See how to add a new user and grant them document access.

  How to protect a PDF from printing with Locklizard

As well as preventing copying of a PDF, you may want to protect the PDF from printing.  Or you may want to allow limited or degraded printing but prevent printing to a PDF.  By selecting a PDF printer as their output rather than a physical printer, malicious users can bypass PDF protections by creating a replica of the original document.

When you protect a PDF with Locklizard, printing to a PDF is automatically disabled, as is printing to common image printers.  Locklizard also allows you to go further with print restrictions by disabling printing entirely or limiting to a defined number of prints (high quality or degraded).  Enforced by the secure viewer application, these protections cannot be removed.  Here’s how to apply them:

   How to disable printing of a PDF

If there’s little reason for users to print your PDF, you can disable the function entirely when you protect your PDF from printing in the PDF writer software.  This is the best way to prevent unauthorized distribution of your documents, as it prevents a user from printing your document and re-scanning it.:

1. Right-click your PDF and select “Make secure PDF”.
   
2. Open the “Printing and Viewing” tab and untick “Allow printing”.
   
3. Apply any additional security controls and press “Publish” at the bottom of the Writer window.
   

   How to limit a PDF to a number of prints

If a recipient does need to print your document, there’s little reason to allow them to do so an unlimited number of times.  Locklizard allows you to specify the number of prints and have either printing or complete document access removed after that quota is met.  Here’s how you can achieve that:

1. Right-click your PDF and select “Make secure PDF”.
   
2. Open the “Printing and Viewing” tab and tick “Allow printing”.
   
3. Tick “Limit number of copies to” and enter a number.
   
   Remember, this number will apply to each user, not per document.
4. Choose whether to enable additional print protections.
   
5. If you wish, you can disable access to the document after it has been printed by ticking “No access after print copies depleted”.   You may also want to change the following options:
   • Operating systems that can print:  This setting allows you to restrict printing to Windows or macOS for additional security.
   • Enforce color:  Allows you to restrict printing to black and white or grayscale on Windows PCs.
   • Log print requests:  Each time a user prints, their IP address, email, and the time of printing will be saved to the “Activity logs” section of the Safeguard Enterprise admin portal.
6. We recommend that you add a Print watermark using dynamic variables to protect your PDF from being photocopied and distributed.

   Additional Locklizard PDF protection features

As well as the copy protection features mentioned above, you can use Safeguard PDF DRM to apply the following security:

• Copy / paste and edit restrictions
• Permanent and dynamic digital & print text and image watermarks
• Track document opens and prints
• Limit access to specific devices
• Limit access to specific locations
• Expire the PDF on a date, after a number of days, or after a number of opens or prints
• Revoke access after distribution

These additional controls deliver even more flexibility when it comes to PDF protection, allowing businesses to not just protect sensitive documents effectively, but protect them in the way that works best for their environment.  You can even change PDF security settings after sending or distribution.

When comparing Locklizard DRM to Adobe protection and other software that uses PDF passwords, it’s clear that there’s little competition.  Rather than paying license fees for demonstrably ineffective copy protection, organizations should consider software that is purpose-built to keep their PDF files safe.

To protect your PDF files from unauthorized access, sharing, copying, editing and printing, take a 15-day free trial of our PDF DRM software.