Getting Started with PDFEncrypt and PDFDecrypt
Requirements: Secure PDF
Introduction
Secure PDF is a suite of components that can sign, verify, encrypt, and decrypt PDF documents, following modern PDF and PAdES security standards.
This guide will focus specifically on the PDFEncrypt and PDFDecrypt components for encrypting and decrypting PDF documents respectively. Before continuing, it is recommended to download the latest version of Secure PDF in order to follow along with this guide.
Contents
PDFEncrypt
As with signing, PDF encryption is part of the PDF format itself. It is used to prevent unauthorized access to documents and is performed using either an encryption password (known as password-based or symmetric encryption) or the intended document recipient's public X.509 certificate (known as certificate-based or asymmetric encryption). The PDFEncrypt component supports both encryption types.
The benefit of this encryption scheme as defined in the standard is that encrypted PDF documents are still valid PDF documents and can be handled by almost any PDF reader. Of course, this software will need to be able to decrypt such documents, but it can always reach the metadata (information about the document) and document structure.
Password-Based Encryption
In password-based encryption, the publishers and intended users of the document must know some secret key (a password), which is used both to protect the document and access the protected data. Once the document has been protected (encrypted), the password is required to get access to the document's contents. Although this method is straightforward and widely used for protecting PDF documents, the password must be passed from the publisher to the intended users, which presents a significant disadvantage.
The following code shows how to encrypt a PDF document with a user password:
pdfencrypt.InputFile = "input.pdf";
pdfencrypt.OutputFile = "password_encrypted.pdf";
pdfencrypt.Password = "password";
pdfencrypt.Encrypt();
Owner passwords are also supported. Compared to user passwords, these passwords are used to protect the permissions (set via the Permissions property) that will be embedded into the document. For example, you may want to prevent the recipient from printing or editing the document. You can encrypt the document with an owner password by specifying the OwnerPassword configuration setting before calling the Encrypt method.
Certificate-Based Encryption
Certificate-based encryption uses X.509 digital certificates to encrypt data. This encryption type provides a higher level of security compared to password-based encryption, as it relies on cryptographic key pairs, making it more difficult for unauthorized users to gain access. It is often used in environments where secure and authenticated document exchange is critical. Encrypting with a certificate (as opposed to a password) ensures that only the intended recipient who possesses the corresponding private key can decrypt the PDF document.
The following code shows how to encrypt a PDF document with a certificate:
pdfencrypt.InputFile = "input.pdf";
pdfencrypt.OutputFile = "cert_encrypted.pdf";
pdfencrypt.EncryptionCert = new Certificate(CertStoreTypes.cstPublicKeyFile, "C:/MyCerts/cert.cer", "", "*");
pdfencrypt.Encrypt();
When encrypting using either a password or certificate, set the EncryptionAlgorithm property to the desired encryption algorithm. As additional encryption options, you can also decide whether the document metadata will be encrypted and embed permissions into the document via the EncryptMetadata and Permissions properties respectively.
PDFDecrypt
The PDFDecrypt component supports decryption of both password-encrypted and certificate-encrypted PDF documents. To determine the document's encryption type before decrypting it, subscribe to the Password and RecipientInfo events and open the document. For example:
pdfdecrypt.InputFile = "encrypted.pdf";
pdfdecrypt.OnPassword += (s, e) =>
{
Console.WriteLine("The PDF document is encrypted with a password.");
};
pdfdecrypt.OnRecipientInfo += (s, e) =>
{
Console.WriteLine("The PDF document is encrypted with a certificate.");
};
pdfdecrypt.Open();
pdfdecrypt.Close();
Password-Based Decryption
If you have determined that the PDF is encrypted with a password (or know that fact beforehand), you must provide the correct decryption password via the Password property (for user passwords) or the OwnerPassword configuration setting (for owner passwords) in order to decrypt the document and get access to its contents.
The following code shows how to decrypt a password-encrypted PDF document:
pdfdecrypt.InputFile = "password_encrypted.pdf";
pdfdecrypt.OutputFile = "decrypted.pdf";
pdfdecrypt.Password = "password";
pdfdecrypt.Decrypt();
Alternatively, set the decryption password within your Password event handler, and the component will decrypt the document all the same. The Available parameter may come in handy in determining whether the component already possesses the necessary decryption password.
Certificate-Based Decryption
If you have determined that the PDF is encrypted with a certificate (or know that fact beforehand), you must provide the decryption certificate containing the correct private key in order to decrypt the document and get access to its contents.
The following code shows how to decrypt a certificate-encrypted PDF document:
pdfdecrypt.InputFile = "cert_encrypted.pdf";
pdfdecrypt.OutputFile = "decrypted.pdf";
pdfdecrypt.DecryptionCert = new Certificate(CertStoreTypes.cstPFXFile, "C:/MyCerts/cert.pfx", "cert_pass", "*");
pdfdecrypt.Decrypt();
Alternatively, set the decryption certificate within your RecipientInfo event handler, and the component will decrypt the document all the same. Like in the Password event, the Available parameter may come in handy in determining whether the component already possesses the necessary decryption certificate. The information published by the other parameters in the event (i.e., Issuer, SerialNumber, and SubjectKeyIdentifier) may also be useful for determining which decryption certificate should be used.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.