How to send a secure PDF file or attachment by email

What’s the safest way to send a PDF securely via email?

How to send secure PDF attachments securely via email.  Why TLS, password & certificate encryption and Adobe permissions fail to adequately protect PDF files for sharing.

Securely sending PDF files

Whether you’re transferring a PDF file from one location to another via USB stick or over the Internet, the simple fact is that it may be intercepted along its route.  As a result, careful thought must be put into the protection applied to your PDF files and the methods used to share them.  Today, we’re going to teach you how to securely send PDF files as attachments to an email and discuss some misconceptions surrounding the topic.  Specifically, we’ll cover:

1. Is sending a PDF via email secure?
2. Can you prevent forwarding, copying, printing, sharing of an email attachment?
3. How to encrypt a PDF file for email
4. How to send a secure PDF attachment via email using PDF DRM
5. How to send a password protected PDF
6. What’s the safest way to send a PDF securely?

  Is sending a PDF via email secure?

A question many users have is whether sending a document in PDF format via email is secure.  Though many present this as a simple yes/no answer, the truth is that it depends entirely on the measures you take to protect your PDF.

One misconception surrounding the topic is that Gmail’s in-built TLS encryption is enough to keep your PDF safe from being accessed by unauthorized uses.  This assumption has some major flaws.

1. Standard TLS encryption in email requires the recipient to also have TLS.  Therefore, if your recipient’s email provider or client does not have TLS, no protection will be applied to its contents or attachments.
2. While TLS protects documents in transit, it’s not end-to-end encryption.  Your information can therefore still be intercepted in the mail server and read by others.
3. TLS provides zero protection once a recipient receives the file.  As soon as they receive it, they’re free to edit or share it at will.

You should also bear in mind that though you might know how to unsend an email in Outlook and Gmail, these built-in features have major limitations.  If you sent a sensitive PDF to the wrong person without additional protection, you’re likely out of luck.

What about Gmail confidential mode?

Gmail’s confidential mode offers a different approach to secure email.  Rather than encryption, it removes the option to copy, print, and download emails/attachments while enabling users to set an expiry date.  The only problem is that it doesn’t really work:

1. Though Confidential mode disables the UI to copy, print, and download in the browser, users can still Right-click > Save as, print via Ctrl + P, or screenshot.
2. Ticking a few boxes in Firefox’s style editor will also let you bypass the controls quite easily.
3. Attachments are not protected at all.
4. Emails aren’t protected end-to-end, opening companies up to man-in-the-middle attacks.
5. Your emails are stored even after they expire (as evidenced by the fact they hang around in your ‘Sent’ folder.

Gmail confidential mode doesn’t provide any real protection then — just the illusion of it.

Can you prevent forwarding, copying, printing, sharing of an email attachment?

Many systems claim to protect email attachments from forwarding, copying, printing and sharing, but most of them are not effective.  On the most basic level, you could stop all files with the “.pdf” extension from being added to emails in your corporate email software. But all users have to do to bypass this is change the extension to “.png” or encrypt the PDF.

As a result, many businesses turn to anti-forwarding tools in popular email clients, as well as DLP solutions and attachment expiry solutions.  Unfotunately, these also fail to prevent sharing.  We’ll take a quick look at these in more detail:

   Can I send password protected PDF in Outlook/Gmail?

When emailing PDFs, it’s common to apply Adobe Acrobat password protection before sending them.  Email clients do leave such protections intact, but it’s important to understand the limitations of the method:

• PDF permissions passwords (the ones that stop editing, printing, copying) can be removed in seconds with free online tools.
• PDF open passwords can be cracked using brute force methods or the recipient can remove them after opening and share the unprotected document.
• You need to find a way to safely communicate each PDF password and secure store them incase the recipient loses it.

In other words, PDF password protection provides some protection when documents are in transit and at rest, but it doesn’t stop sharing, editing, or forwarding.

  “Do not forward” in Outlook

Outlook’s “Do Not Forward” feature is often misunderstood.  Microsoft claims that it prevents the forwarding, printing, and copying of emails, and that Microsoft Office documents inherit the same restrictions.

Just like Gmail confidential mode, however, things get muddier once you research further.  Firstly, users need a Microsoft account to view attachments, which is impractical when sharing with third parites.  More importantly, the actual controls applied are “Edit Content, Edit, Save, View, Open, Read, and Allow Macros”.  In other words, there are no forwarding, copying, or printing controls.  Users can download your attachment, copy the content from it, print it, and share it.  As Microsoft itself says:

“If you want different usage rights for an attachment, or your attachment is not an Office document that supports this inherited protection (i.e. PDF), protect the file before you attach it to the email.”

   What about email DLP solutions?

Data loss prevention (DLP) solutions are often billed as the be-all and end-all of email security.  They promise to prevent sensitive data in email attachments from being lost, leaked, misused, or accessed by unauthorized users.  However, aside from their significant expense, DLP solutions are inconsistent by their nature.  DLP works by searching outgoing information and identifying sensitive content.  It then applies pre-configured policy rules that can be used to block forwarding, printing, saving, etc, as well as flag the situation for review.

The problem with this approach is that its effectiveness is highly dependent on how reliable your searches are and how well you can enforce policies.  Automatic content identification is never going to be 100% accurate, and sensitive information often needs to be shared with third parties.  You must distinguish and make exceptions for this while accepting that most DLP solutions won’t be able to apply controls effectively outside of your enterprise.  Even inside the enterprise, most DLP solutions fail to prevent third-party screenshot tools and more.

   Do expiring email attachments work?

Email expiry attachment is another way to provide some protection against misuse.  The longer a sensitive document is available to a user, the more opportunity they have to share, modify, or save it.  It’s popular, therefore, to send an attachment as a link that expires after a certain date or number of views.

But there is one key thing to understand about attachment expiry: you must be able to stop the user from making an unprotected copy of the document.  Most solutions try to achieve this by providing access only in the browser and then disabling downloading, printing, etc. using JavaScript.  As we have learned from Google confidential mode, this is not an effective approach, as there are simply too many ways to bypass browser security and make copies.

Another approach is to pay for Microsoft’s Azure Information Protection for expiry.  However, as we have covered in how secure is Azure Rights Management, that comes with its own issues.  Any user that can view a document can use freely available tools to remove its editing, copying, and printing protections.

Broadly, then, we can draw the same conclusion from all three of these options.  The only way to share attachments securely is by individually protecting documents with DRM encryption.  Otherwise, sensitive information will be missed, controls will bypassed, or users will create unexpiring copies.

  How to PGP encrypt a PDF file for email

A popular approach is encrypting the PDF itself, whether it’s through a product such as Adobe Acrobat or using end-to-end PGP encryption.  If you use Open PGP software such as ArticSoft FileAssurity, you can encrypt PDF attachments and message text.

Sending a PDF securely via email with ArticSoft PGP encryption

While this is definitely an upgrade to TLS, protecting your files in transit and at rest, it still doesn’t address what happens after the user receives it.  These methods to protect a PDF use a certificate, and once the PDF file has been decrypted by the user, it can easily be shared with others for full access.

This is also true of password protection, which also has another major problem – how do you send the password securely to others?  You also need to make sure you use a strong password otherwise it can be easily cracked.  See why you should not password protect PDF files.

So, if a password-protected PDF or even certificate encryption is not enough to fully protect your PDF file, what is?

  PDF encryption without passwords or certificates

If you can make a file useless to unauthorized parties, it does not matter if it is shared or forwarded.  A PDF DRM solution like Locklizard encrypts PDF files without passwords so that they cannot be easily broken or cracked.  Instead, users are provided with a limited-use license. After installing the license, decryption keys are transmitted to the device it is installed on and then locked to it.  In other words, users can share the PDF with others, but it will be useless unless they have been provided a valid license.  None of this would work however if Locklizard didn’t also address the final piece of the puzzle: controlling what the user does with the PDF after it has been decrypted and opened.

Locklizard enables you to send PDF files securely and control their use:

• Prevent changes – restrict PDF editing and modifying
• Stop copying and copy/paste
• Disable PDF printing or enable secure prints
• Stop screenshots by preventing the use of screen grabbing software
• Expire PDF files automatically on a set date, after a number of days or opens
• Lock PDF files to devices and locations
• Prevent saving to unprotected formats
• Add dynamic watermarks that are permanent
• Secure PDF forms – stop form fields from being changed and form data altered after submission
• Track PDF opens and prints
• Revoke access at any time

Locklizard encrypts PDF files without passwords (there are no passwords for you to manage or users to enter) so they cannot be easily broken or cracked.  Unlike other rights management systems, we don’t use complex certificate based PKI systems either as they are cumbersome to manage.  Instead we use a transparent key licensing system which securely delivers decryption keys to authorized users devices and ensures they cannot be shared by locking them to the device.

  How to send a secure PDF attachment via email using PDF DRM

Here’s how to create a secure PDF file with encryption and DRM controls, and send a secure PDF via email (as a secure PDF attachment) using Locklizard Safeguard PDF DRM Security software.

1. Install Safeguard Writer, then right-click on your PDF and select “Make secure PDF”.
   
2. Open the “Document Access” tab and choose “Selected customers”.
   
3. Choose the DRM controls you want to enforce.
   

   Creating a secure PDF file using Locklizard Safeguard PDF DRM

   Move through the tabs of Safeguard PDF Writer and add any DRM controls you want to apply to your document.  By default, Locklizard secure PDF files cannot be edited, copied and pasted, printed, or saved as unprotected PDF files.  If you enable printing then we stop users printing to file drivers such as PDF and other unprotected file formats (otherwise they could remove the security).  Here are a few of the DRM controls that are available:

   • Printing and viewing limitations:  control how many times the document can be opened or printed, allow only degraded printing, or disable printing.
   • Screenshot blocking:  stop users using print screen or screen grabbing tools to take high quality screenshots of document content.
   • Expiry date:  there’s often little need to have a document available until the end of time and document retention policies may actually state this.  The longer a document is in the open, the more chance it has of being shared.  Applying PDF expiry allows you to reduce that time, either from the first open or preventing access once a specific date has been reached.
   • Watermarking:  dynamic watermarks identify individual users, both as a deterrent for copying (photos or photocopies) and help track down the source of any leaks.

4. Press the “Publish” button at the bottom of the dialog to protect the PDF file.
5. Now grant a user access to it.  Open your Safeguard administration system and log in.
   
6. Open the “Customers” tab and press “Add” in the sidebar.
   
7. Enter the user information and click on the “Set Document Access” link in the “Manage Access” section.
   
8. Select your document and press “OK”.
   
9. Press the “Add” button on the customer account.

   Keep the “Email license” checkbox checked to have the license file emailed to the user’s email address that you have entered.  The user will be sent an email with their license key and instructions on how to download the secure PDF viewer software.  You can also choose to untick ‘Email license’ if you’d like to share this information with them via other means.

  How to send a PDF securely by email

Once users have installed the secure Viewer software and registered their license file, you can securely send PDF files to them via email (as a secure PDF attachment) and be sure that only they can open them.

Just select the protected PDF file (.PDC file) and attach it to your email message.

Emailing a secure PDF attachment that has been protected with Safeguard PDF Security

Of course, you can also share the protected PDF file via your favorite workplace chat app, cloud storage, or another document-sharing solution.  As only the recipient has authorized access, nobody else will be able to open the secure PDF document.  For more information on cloud storage sharing see – How to share PDF as a link.

If you want to prevent users opening the secure PDF file outside certain locations (such as the office) you can add country and IP restrictions in the Safeguard Admin System.

  How to send a password protected PDF

As mentioned earlier, password-protected PDF encryption has inherent flaws and should not be used in a business environment.  However, if you have little choice, we can at least guide you on how to send a password-protected PDF in the least risky way possible.

Encrypting a PDF with a password using Adobe Acrobat

6 Tips for sending a PDF securely via email

1. While you don’t need to download a solution to password-protect a PDF, uploading sensitive documents to a remote server isn’t typically the best idea since you have no control over them or any temporary files created.  PDF encrypt is an example of an open-source, free app that you can run locally to encrypt documents using a password.
2. If you must use a password-based system, make sure your password is secure.  An 8-character password with no numbers can be brute-forced in 0.19 milliseconds.  Adding numbers or symbols significantly increases that time.  However, for this to hold true, your password must still avoid popular words and numbers like dates or “123” otherwise the password will be easily broken by a password cracker that tries commonly used passwords and dictionary attacks.
3. Agree beforehand the method you are going to use to send the password securely to others such as a secure text messaging or secure email app.
4. Once you have encrypted your PDF, you should ideally send and share it only with those you have some degree of trust in.  It’s definitely not recommended to share password protected PDF files outside of your organization.  Make no mistake, a strong password on your PDF will still only slow someone down.
5. Most importantly, don’t rely on PDF permissions to prevent editing or printing.  There are many methods users can use to easily remove these, from using third-party tools, to simply uploading PDF files to Google Drive to bypass PDF restrictions.
6. When you do send the PDF, it’s best to do everything you can to avoid interception by a third-party.  As a result, an end-to-end encrypted filesharing, email, or messaging service may be better suited.

  What’s the safest way to send a PDF securely?

We hope this guide has provided some clarification on whether sending a PDF file via email is secure and how to securely send PDF files as attachments.  In summary:

1. While sending a password-protected PDF is convenient, the method provides very little real-world protection unless you use a long and strong password and have a secure method of sharing it with others.  See 10 Reasons NOT to password protect PDF files.
2. Using certificates is a better way to send a PDF securely since you don’t have to worry about password transmission, but certificate encryption also has its issues.  We explore the pros and cons of password vs certificate encryption in this article – What is best, certificates or passwords for PDF encryption?
3. Adobe PDF restrictions or permissions to restrict editing or disable printing are useless since they can be easily ignored or removed.  See How to remove PDF passwords and restrictions.
4. Using PDF DRM to create a secure PDF attachment is the safest way to send a PDF securely by email.  This is because you can stop unauthorized users from viewing the PDF, prevent additional distribution AND control how it can be used.

If you are currently sending password encrypted documents via email, we strongly recommend you switch to a PDF DRM solution so you don’t have to worry about key management.  As well as eliminating antiquated authentication systems, a PDF DRM solution like Locklizard Safeguard provides a wide range of DRM controls you can use to ensure your PDF’s safety after it reaches the intended recipient.  Not only does Locklizard enable you to send a PDF securely, it enables you to create a secure PDF that can’t be edited, copied or shared with unauthorized users.

If you want to send PDF files securely, stop sharing, and enforce edit, print, expiry and copy protection restrictions then take a free 15 day trial of our DRM software.

   FAQs

Can email encryption software be used to send documents in PDF format securely?

Yes.  But email encryption software only protects the document when it is in transit and at rest (sitting unopened on a PC).  Once a user decrypts and opens the document, they can do whatever they like with it, including saving an encrypted version that they can pass on to others, editing it, etc.

If you need to protect the contents of a document from copying, editing, printing, screenshots, or prevent unauthorized sharing, then you need to implement additional security, such as digital rights management (DRM) controls.

What’s the best way to send an encrypted or protected PDF?

If a PDF is encrypted using a strong algorithm, the method you use to send it is unimportant.  It is more important how you distribute the key to unlock the document and how you control use once it is opened.  If the key is exposed to the user at any point, it can be shared with unauthorized users so that they too can open the document.  The same can be said for when the key is embedded in the document and linked to a password, such is the case with Adobe PDF security.  Meanwhile, if you cannot stop the user from copying and pasting, printing, or screenshotting the document, then secure key distribution is of limited help as the receiver can still easily share the contents with others.

If I encrypt a PDF for email, will that prevent sharing?

No.  File encryption does not stop sharing because it makes no attempt to control what happens after a user opens the PDF and it is decrypted.  The user you send the PDF to can simply share the decrypted file.

What’s the best way to send a PDF securely by email?

Protect it using PDF DRM software before you send it.  A good PDF DRM solution will protect the PDF file in transit, at rest, and while in use, locking it to authorized devices.  This is something that standard email encryption can’t do.

By using DRM you can prevent unauthorized users opening attachments, and stop authorized users from copying, printing, taking screenshots and saving to unprotected files.

It is important to choose a system that does not rely on passwords, and that can lock content to devices so it cannot be easily shared.  This is something that cannot be achieved using a cloud-based email solution.

How can I send documents securely over the internet?

If you protect your documents with a good DRM solution users will not be able to view, share, print, or edit your documents without your permission, regardless of the method you use to send them.

Can you send files securely using Google Drive?

Yes.  However, as Google Drive is not a secure way to send documents, you must make sure that you protect your files with a DRM solution before you upload them.  Drive’s default security will otherwise allow users to print, copy and paste, screenshot, and remove watermarks from your documents without your permission.

Can I prevent forwarding of email attachments?

No, but you can prevent unauthorized users opening them.  If a user forwards a Locklizard encrypted PDF file, then the recipient will only be able to view it if they have been authorized to do so by the document owner or Publisher.

Can I prevent copying and saving of email attachments?

Yes.  You can prevent all the common methods of unauthorized distribution by blocking printing and screenshots, stopping copy and paste, and preventing saving of attachments to unprotected file formats.

Can I prevent printing of email attachments?

Yes, Locklizard encrypted PDF attachments can be locked to prevent printing.  You can also allow limited prints and add dynamic watermarks that identify users to discourage distribution of printed copies.

Can I expire email attachments?

Yes, you can send attachments that expire.  Email attachments that you protect using Locklizard can be set to expire on a specified date, on a number of days after first open, and/or after a number of opens or prints.

Can you send a PDF via text?

Yes.  So long as your phone/provider supports MMS.  However, sending a PDF via text is not secure.  Text messages are typically not difficult to intercept, and phone numbers are easy to spoof.  You should encrypt your PDFs with a strong encryption algorithm and key, preferably with DRM, before sending them.

Can you send PDFs on WhatsApp?

Yes.  You can attach PDFs to WhatsApp messages by pressing the attachment icon and selecting “Document”.  WhatsApp is more secure than text messaging because chats are end-to-end encrypted, but it is still not a good idea to use it to send sensitive PDFs.  WhatsApp backups are not usually encrypted, so if your recipient backs up to Google Drive and then gets hacked, your PDFs may be accessible to the attackers.  Additionally, WhatsApp does not control what a recipient can do with the document — they can still share it with unauthorized users after receiving it.