Getting Started with PDFEncrypt and PDFDecrypt


Requirements: Secure PDF

Introduction

Secure PDF is a suite of components that can sign, verify, encrypt, and decrypt PDF documents, following modern PDF and PAdES security standards.

This guide will focus specifically on the PDFEncrypt and PDFDecrypt components for encrypting and decrypting PDF documents, respectively. Before continuing, it is recommended to download the latest version of Secure PDF to follow along with this guide.

Contents

PDFEncrypt

As with signing, PDF encryption is part of the PDF format. It is used to prevent unauthorized access to documents and is performed using either an encryption password (known as password-based or symmetric encryption) or the intended document recipient's public X.509 certificate (known as certificate-based or asymmetric encryption). The PDFEncrypt component supports both encryption types.

The benefit of this encryption scheme as defined in the standard is that encrypted PDF documents are still valid PDF documents and can be handled by almost any PDF reader. Of course, this software will need to be able to decrypt such documents, but it can always reach the metadata (information about the document) and document structure.

Password-Based Encryption

In password-based encryption, the publishers and intended users of the document must know some secret key (a password), which is used both to protect the document and access the protected data. Once the document has been protected (encrypted), the password is required to gain access to the document's contents. Although this method is straightforward and widely used for protecting PDF documents, the password must be passed from the publisher to the intended users, which presents a significant disadvantage.

The following code shows how to encrypt a PDF document with a user password:

pdfencrypt.InputFile = "input.pdf"; pdfencrypt.OutputFile = "password_encrypted.pdf"; pdfencrypt.Password = "password"; pdfencrypt.Encrypt();

Owner passwords are also supported. Compared with user passwords, these passwords are used to protect the permissions (set using the Permissions property) that will be embedded into the document. For example, you may want to prevent the recipient from printing or editing the document. You can encrypt the document with an owner password by specifying the OwnerPassword configuration setting before calling the Encrypt method.

Certificate-Based Encryption

Certificate-based encryption uses X.509 digital certificates to encrypt data. This encryption type provides a higher level of security than password-based encryption, because it relies on cryptographic key pairs, making it more difficult for unauthorized users to gain access. It is often used in environments in which secure and authenticated document exchange is critical. Encrypting with a certificate (as opposed to a password) ensures that only the intended recipient who possesses the corresponding private key can decrypt the PDF document.

The following code shows how to encrypt a PDF document with a certificate:

pdfencrypt.InputFile = "input.pdf"; pdfencrypt.OutputFile = "cert_encrypted.pdf"; pdfencrypt.EncryptionCert = new Certificate(CertStoreTypes.cstPublicKeyFile, "C:/MyCerts/cert.cer", "", "*"); pdfencrypt.Encrypt();

When encrypting using either a password or certificate, set the EncryptionAlgorithm property to the desired encryption algorithm. As additional encryption options, you can also decide whether the document metadata will be encrypted and embed permissions into the document using the EncryptMetadata and Permissions properties, respectively.

PDFDecrypt

The PDFDecrypt component supports decryption of both password-encrypted and certificate-encrypted PDF documents. To determine the document's encryption type before decrypting it, subscribe to the Password and RecipientInfo events and open the document. For example:

pdfdecrypt.InputFile = "encrypted.pdf"; pdfdecrypt.OnPassword += (s, e) => { Console.WriteLine("The PDF document is encrypted with a password."); }; pdfdecrypt.OnRecipientInfo += (s, e) => { Console.WriteLine("The PDF document is encrypted with a certificate."); };
pdfdecrypt.Open(); pdfdecrypt.Close();

Password-Based Decryption

If you have determined that the PDF is encrypted with a password (or know that fact beforehand), you must provide the correct decryption password using the Password property (for user passwords) or the OwnerPassword configuration setting (for owner passwords) to decrypt the document and gain access to its contents.

The following code shows how to decrypt a password-encrypted PDF document:

pdfdecrypt.InputFile = "password_encrypted.pdf"; pdfdecrypt.OutputFile = "decrypted.pdf"; pdfdecrypt.Password = "password"; pdfdecrypt.Decrypt();

Alternatively, set the decryption password within your Password event handler, and the component will decrypt the document all the same. The Available parameter may come in handy in determining whether the component already possesses the necessary decryption password.

Certificate-Based Decryption

If you have determined that the PDF is encrypted with a certificate (or know that fact beforehand), you must provide the decryption certificate containing the correct private key to decrypt the document and gain access to its contents.

The following code shows how to decrypt a certificate-encrypted PDF document:

pdfdecrypt.InputFile = "cert_encrypted.pdf"; pdfdecrypt.OutputFile = "decrypted.pdf"; pdfdecrypt.DecryptionCert = new Certificate(CertStoreTypes.cstPFXFile, "C:/MyCerts/cert.pfx", "cert_pass", "*"); pdfdecrypt.Decrypt();

Alternatively, set the decryption certificate within your RecipientInfo event handler, and the component will decrypt the document all the same. Like in the Password event, the Available parameter may come in handy when determining whether the component already possesses the necessary decryption certificate. The information published by the other parameters in the event (i.e., Issuer, SerialNumber, and SubjectKeyIdentifier) may also be useful for determining which decryption certificate should be used.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.