PDF security: eEnvelopes and security policies

Previously, I posted an ‘Introduction to PDF security.’ While it’s not strictly necessary to read that article first — particularly if you already have some familiarity with PDF security — it is helpful, as this article builds on some of the concepts raised therein.

In this piece, we’ll cover the important issue of which parts of the document need to be encrypted, the concept of ‘eEnvelopes’ and provide a little information about security policies.

What to encrypt?

Acrobat 7 Professional allows users to choose which parts of a PDF document they would like to encrypt. Depending on the encryption and compatibility level chosen, they may choose to encrypt all of a document’s contents (default,) encrypt everything except metadata, or to encrypt only file attachments, which is the creation of what is known as an eEnvelope. If using password security, it’s possible to require separate passwords for opening the document, unrestricted editing, and accessing the attachments! That’s the good news; the bad news is that these various levels of security also restrict version compatibility. Encrypting the document, but not the metadata requires users to have Acrobat or Reader 6, while securing only the attachments (A.K.A. using eEnvelopes) requires version 7.

A little more on eEnvelopes, courtesy of Richard Crocker’s in-depth ‘First Look‘ piece on Acrobat 7:

A security measure new to Acrobat 7.0 is that of the eEnvelope. That is, the security measures on the PDF document and its attachments are handled separately. Hence, it is possible to send an unsecured PDF eEnvelope that may detail download instructions or address information with encrypted file attachments. A great example of this would be an eEnvelope that acted as a brochure, with the retail product (software or content such as an eBook) included as an encrypted attachment.

As with many choices regarding security strategy, it’s important to evaluate the relative priorities of strong encryption and ease-of-use for authorized personnel. For instance, if your document contains sensitive financial information, you would need to secure the document’s contents, but you may not want to encrypt its metadata. This would make it easier to archive and retrieve the document, as information such as document title, author and keywords would all be freely available.

Another consideration is compatibility. As I mentioned in my last article on PDF security, this can be an important choice, as wider compatibility also results in a lower level of security. If you want to make a document available to a broad spectrum of external users, then you must either make the document as compatible as possible, or require potential readers/end users to download the latest version of Adobe Reader, which could potentially limit or upset your audience.

Security Policies

Another concept introduced with the Acrobat 7 product family was that of security policies, which are essentially pre-set, reusable profiles that define the security settings to be applied to a document or set thereof. What’s more, the concept of policies means that security settings can be configured on the organization or workgroup level. The policies can then be rolled out to group members in order to ensure standardized document security protocols.

src=’http://www.planetpdf.com/images/1-DS-In-Depth_SPA.gif’ width=’468′ height=’231′
alt=’Saving settings as a security policy.’>

Security policies support all of the security methods available in Acrobat 7, including passwords, certificates, and even direct integration with Adobe’s server-based security application, Policy Server, although the last option is only available to users of Acrobat 7 Professional.

src=’http://www.planetpdf.com/planetpdf/images/Manage_security_policies.gif’ width=’500′ height=’349′
alt=’Managing Security Policies dialog.’>

That’s the end of part two in my series on PDF security. In future articles, I’ll address 3rd party tools, digital signatures, and provide some more in-depth information on Adobe Policy Server. If you’re not familiar with any of those terms, you may just want to read those columns to find out more!

You May Also Like

About the Author: Dan Shea

Leave a Reply