PDF DRM Security FAQs

PDF Security FAQs – DRM PDF Protection without Passwords

Protect IP

Protect documents no matter where they reside:

Stop unauthorized access
Stop sharing and distribution
Strong US Gov strength encryption, DRM and licensing controls

Restrict Use

Set Expiry

Revoke Access

Watermark

Log Use

Comply Law

Benefits

How does DRM differ from encryption?

It can be very difficult to understand how encryption differs from DRM, licensing, and the role that each technology plays in document protection.

Encryption is used to prevent anyone who does not have the right key from decrypting information. It may also be used to indicate the source of the encrypted file and provide proof that the encrypted file has not been altered since it left its source. What it does not do is control subsequent use of the information once it is decrypted.

That is where DRM controls come in. They act as an additional layer of access controls that come into play after content has been decrypted but before it is displayed in the device (reader, browser, etc.). DRM licensing controls check that the user is authorized to use the document, which DRM controls are to be applied (preventing printing, editing, copying, etc.), whether the activity needs to be logged, if the document is valid and still available, and so on. Only if the DRM licensing controls are met does the document become available for decryption, and then only on the terms granted by the publisher (with printing and editing disabled, expiry after a certain date, etc.).

So, encryption is a very powerful tool for preventing unauthorized access, but it does not stop those who are authorized from doing what they want with the information. DRM uses encryption as a tool to enable it to enforce the controls set on protected documents. Locklizard systems deliver a powerful range of DRM controls to ensure the right level of protection is applied to PDF DRM documents both online and offline

How does Safeguard PDF Security differ from Enterprise PDF DRM?

Safeguard PDF Security is for the smaller publisher or small-medium business looking to protect their PDF documents. It does not have all the functionality of Enterprise PDF DRM such as:

For a complete list of differences, see the PDF security comparison chart.

How does Safeguard PDF Security differ from Adobe Acrobat PDF security for the protection of PDF files?

Unlike the Adobe approach, Safeguard PDF Security uses state-of-the-art web-based licensing to control who can install and activate the license which provides access to the decryption keys required to view your secure PDF documents.

This ensures that before someone can view your protected PDF documents, they must first purchase a license from you. Only with a license file can they install the free Secure PDF Viewer and activate it in order to view protected documents. The licenses you issue are one-time use (unless you specify otherwise), so once someone has activated their license on one device they cannot activate it on another. This prevents sharing of the license information or users from installing and activating it on more than one computer or device. The keys used to decrypt the secure PDF files cannot be extracted from the system and therefore cannot be given to others either.

With Acrobat PDF security, there is nothing to prevent users from sharing the keys used to decrypt protected PDF files. This is true for both PKI keys and passwords. If PKI keys have been used, then users can give their private key to others. If passwords have been used, then it is a simple matter of telling someone else what the password is so that they can use it. You cannot prevent or detect either situation.

Adobe has also been criticized for its weak implementation of security controls via the Adobe Security Handler. Any company that uses an Acrobat plug-in for security purposes, also uses the Adobe implementation to ‘protect’ your PDF documents. Read this article published by Adobe Certified expert Bryan Guignard on why we don’t use Adobe’s implementation / Acrobat plug-in for the protection of your PDF documents.

Is Locklizard a secure data room system?

No. While you can use Locklizard to create your own secure data room, it is not a secure data room system.

You protect PDF documents on your computer (you don’t upload unprotected files to a web server) and distribute them just like any other file.
There is no login process so credentials (and therefore your documents) cannot be shared with other users.

‘Secure’ data rooms have many security issues and are not suitable for secure document sharing.

See how Locklizard compares to secure data rooms and other document security systems – Locklizard vs competitors.

Or how Locklizard compares to a secure data room system such as DocSend or Digify.

How does Safeguard PDF Security differ from competing products?

Cost / ROI

Many Digital Rights Management (DRM) or Enterprise Rights Management (ERM) systems have significant costs which quickly escalate. In addition, you are locked into a subscription system that requires monthly or yearly payments.

With Locklizard you can purchase perpetual and one-time server licenses so you are not tied into expensive subscriptions.

Zero installation Viewers

Our Secure USB Viewer provides exactly the same DRM security as our desktop viewer but does not have to be installed by the user. Users don’t have to connect to a licensing server to register or verify access, or even have an Internet connection available. It therefore avoids conflicts with firewalls or situations where Windows admin rights or internet access are not allowed. Our Secure USB Viewer allows users to use protected PDF documents instantly on any computer wherever they are.

The Web Viewer can be accessed via a browser on any Operating System. Whilst less secure than our installed Viewers, it gives users additional flexibility for accessing files on the move.

Simpler to use, easier to manage

There are no passwords or certificates to worry about, manage or send to users. Decryption keys are transparently relayed to users’ computers in a secure manner and stored in an encrypted keystore.

Protecting PDF files is easy – just right-click on them in Windows Explorer and select the appropriate PDF document protection rights. There are no complex document identifiers, encoding schemes, or confusing policy choices.

We also provide the unique concept of publications, enabling you to group documents into publications for simpler document management and customer subscription services.

Whilst we use public key technology, no key management is required by you as the publisher or by your users or customers, as it is all handled transparently by the licensing system. There are no certificates to revoke when you want to terminate user access or any other PKI complexity.

See what our customers have to say about us – DRM Security Testimonials.

Simple assigning of document access rights

Many of our competitors provide controls at the user level. This is fine if you are certain that all the PDF documents you ever send to a user will require identical controls. But that’s often not the case.

We provide controls at the document level. This means you can decide how important the document is. This more closely reflects the value of the information, rather than assuming that the user always has the same rights for every document you make available to them.

In our system, you can publish the same document more than once and apply different controls to each publication. Additionally, expiry can also be controlled at both the document and the user level.

Prevention of third-party screen grabbers

At best, our competitors prevent the use of Windows print screen or use JavaScript to disable right-clicking in the browser. Most users, however, have screen-grabbing software installed on their computers (often as part of the Operating System) that enables them to use any key combination to grab screenshots of your protected PDF documents. Preventing just the use of Windows the printscreen key is therefore useless. Safeguard PDF Security prevents screen grabbing software from taking screenshots of your protected PDF documents.

Security

We don’t use insecure passwords, low-strength encryption, or plug-ins that are vulnerable to attack, so you can be sure that your PDF documents are protected using the best security available.

We don’t use JavaScript either, since this can seriously compromize your customer’s computers. JavaScript is the No. 1 malware attack for PDF files – see PDF security issues.

We don’t leave your documents decrypted on disk, where they can be easily copied by others – we only decrypt content to memory. Nor do we store unprotected files on a server.

We don’t make you upload your source files to a web server in order to protect them (where they could be easily compromized). Many companies that provide PDF DRM in the browser, store unprotected copies of your PDF on the server so they can be used for search purposes since they display an image to the client rather than the actual PDF document. With Locklizard, both unprotected and protected PDF files remain in your control and ownership at all times and are never exposed.

How does Safeguard PDF Security differ from file encryption products?

While file encryption products protect information while it is in transit or when stored on disk, they do not provide protection for the entire lifecycle of an electronic document. Once a document reaches the recipient, the protection is lost (the recipient decrypts the document), and the document can be forwarded, copied, and viewed by unauthorized recipients. In addition, encryption does not provide controls over document access rights – what a user can or cannot do with the document (print, edit, etc.) – or document expiry.

Safeguard PDF Security dynamically protects PDF documents inside and outside the network, online and offline, with strong encryption, document expiry, and access rights. This delivers persistent end-to-end protection throughout a protected PDF document’s lifecycle.

How secure is Safeguard PDF Security?

Safeguard PDF Security uses US Government strength encryption – the AES algorithm. It would currently take today’s fastest supercomputer approximately 27,337,893 trillion trillion trillion trillion years to crack a 256-bit AES key. For reference, the universe is thought to be 13.7 billion years old. Locklizard’s AES encryption should therefore be safe for many years, even factoring in quantum computing. For more information on AES see NIST’s AES fact sheet.

In addition, we don’t use third-party plug-ins to control your secure document access. This ensures we are not open to weaknesses in the published APIs or security holes in the third-party application. A competitor that uses this approach found the only way to prevent hacking of their systems was via the legal system and a court writ.

We do not send decryption keys with the documents that are being protected. Such a technique is discredited and is regarded as a fundamentally flawed approach. PDF documents are only decrypted for viewing in a secure, controlled environment, and are never made accessible unprotected. If a user does not have a license, they cannot view your protected PDF documents.

Is your PDF security open to password attacks like Adobe Acrobat Security and similar password based products?

No.

The keys required to decrypt protected PDF files are safely stored encrypted on the user’s computer.

There are no passwords to enter and therefore the system is not open to compromise or password attacks.

What is Locklizard’s stance on cracking programs? Are there any cracks available for PDC files?

As far as we are aware, there are no available cracks. Downloading any could compromize your system.

Please see the following document – PDC Un-protect and other PDC cracking programs.

Can you convert PDC files to PDF format?

No.

The only person that has access to PDF files is the publisher that protected them in the first place. Even they cannot convert PDC files to PDF format using the Writer software, but since they already have the source files (the original PDF files), there would be no reason to do so.

See convert PDC to PDF.

Do users have to have Adobe Acrobat PDF Reader installed in order to view secure PDF documents?

No.

Safeguard PDF Security is totally independent from Adobe Acrobat.

We realize that there are a lot of people who do not have Acrobat installed and who don’t want to download an additional 480MB+ file just for the privilege of viewing a protected PDF document.

Do you integrate with Adobe Acrobat in any way for the security of PDF documents?

No.

Safeguard’s Secure PDF Viewer does not use Adobe Acrobat for the rendering of PDF files. We feel that Adobe Acrobat was just not built with security in mind and could potentially compromize the security of our system.

Your security is not compromised by plug-in failures or conflicts. In fact, we think that plug-ins are potentially so insecure that we prevent them from loading entirely. This way, they can’t compromise security. See Adobe PDF plug-in vulnerabilities.

Do users have to have JavaScript enabled in order to view protected PDF documents?

No.

Safeguard Secure PDF Viewer specifically prevents JavaScript from loading.

Even Adobe warns users not to enable JavaScript, yet some of our competitors force users to have this enabled to view their protected PDF documents, leaving their computers wide open to hackers.

We take the position that we should not require users to reduce their effective security in order to accommodate our requirements. See PDF security issues.

Do I have to upload my PDF files to your web server to protect them?

Absolutely not.

We would strongly advise against using any system that employed this approach. Many systems that require you to upload documents to their servers also store unprotected copies for search purposes. This is so they can deliver images of your documents to the client device while still providing search facilities on the server.

With Safeguard PDF Security you protect your PDF files on your local computer so that they are not exposed to any potential compromise in their unprotected form on a web server or whilst being transferred. You also have peace of mind that you always have ownership over those files.

Do you host my secure PDF documents on your server?

No. You host them on your server, website, or network, or you can send them by email, message, USB, etc., just like any other file. You are free to choose whatever distribution method is best for your business.

For both security and legal liability reasons, we never have access to either your unprotected or protected PDF files. In a professional environment, that should not be a requirement, and we recommend that you obtain legally enforceable indemnity when a supplier insists that they have access to your IPR at any time.

What we do host is the licensing system, where you can issue users with licenses and control who can access your secure PDF documents and publications. And, if you are not happy with that, we allow you to host it yourself.

Where can I publish my protected PDF documents?

You can publish your secure PDF documents to the web, on your website, USB device, etc., or send them by email just like any other file.

You can also publish them to Locklizard’s web viewer so users can view them using their browser instead of installing a Viewer on their device.

Can I stop PDF documents from being copied if they can be downloaded?

No, but since the documents are encrypted, and the decryption keys are not exposed to the user (so that they cannot be shared), then it does not matter if protected PDF documents are copied and given to others. They will not be useable without the decryption key.

Locklizard only ever decrypts content in memory so that there are no temporary files left lying around with unprotected information in them. Decryption keys are securely and transparently relayed to a keystore that is locked to individual computers and will not work if copied to another computer along with the documents. So, whilst you cannot stop protected PDF documents from being copied, they are of no use to anyone but the authorized user.

Can users change my security settings?

No.

Once security settings have been applied to a document, they cannot be changed by anyone. The settings become part of the document and remain in force at all times, even when users are using your protected PDF documents offline (i.e. they are not connected to the Internet).

If you as the publisher want to issue the same PDF document with different security settings (copying, printing, etc.) then you just protect the PDF file again with the new settings. You can then send this newly protected PDF document to users.

How can I control document expiration and revocation once a document has been published?

Post publication document control is maintained through the use of expiry dates and the ability to revoke access to a document or user. For example, you can publish a protected PDF document that will expire in a month’s time, so that your customers will not be able to view it once the expiration date has passed.

Or, you can automatically revoke a user if they leave a project, department or company or fail to maintain payments for a subscription. Or revoke access to a protected document that is no longer valid.

You can also change the expiry date of a protected PDF document after it has been published.

Why would I want to set users to expire rather than documents?

The system is flexible so that you can do both.

You may want users to expire rather than documents so that they cannot view documents with dates outside their subscription period.

On the other hand, you may want a document to only be available for a limited time to comply with document retention policies. In this case, once the document expiry date has been reached, the protected PDF document is no longer viewable.

Lastly, you might want to control document expiry on a user basis. For example, you might publish documents that are available to all users (not individually allocated or part of a publication) and you want to control how long individual users can access them.

How can I manage subscription services when users subscribe to more than one publication?

Safeguard PDF Security enables you to expire access to publications on a user basis, so expiry for every publication is unique to each user. This is useful for subscription services where the same user may subscribe to more than one of your publications but for different periods.

You don’t have to expire user accounts for those subscribing to single publications. since access to the publication itself will expire at the date you set. This is useful if you still want users to be able to access documents published outside of the publication (i.e. documents published for all users or those that are individually allocated).

We want to give prospects/customers free 30 day trials of our documents. Is this possible?

Yes.

When you create a protected PDF document, you can specify how long it will be before it expires – e.g. 30 days, 1 year, etc. When a customer registers, they can then view your protected PDF documents for the time period you have allocated. Once this time period is reached, the protected PDF document will expire (if the document expires, it can no longer be viewed) and they will need to come back to you for a license to continue using it.

You can also set customer accounts to expire (say after a 30-day period). The difference here is that any protected PDF documents published during their subscription period that you have authorized them to view can still be viewed after their subscription period has expired. They just won’t be able to view any protected PDF documents published before or after their subscription period unless they come back to you for a license.

So, to summarize, you can either expire documents (and they are no longer viewable once they expire) or you can expire customers (and they can continue to view the documents that they were authorized to view during their subscription period). Of course, if you have forced your customers to connect to the administration server before they can view your protected PDF documents, you can instantly suspend their account. This prevents them from viewing any of your protected PDF documents.

Can authorized users distribute protected documents to others?

Users can send your protected PDF documents, to others, but they will not be able to view them unless they have purchased a license from you and registered with the administration server. For this reason, secured PDF documents can be freely distributed, emailed or published on the internet without unauthorized individuals able to open them..

In addition, even existing users cannot necessarily view your protected PDF documents. You decide which users have access to what documents and what publications. You can assign documents to publications for simpler management so that specific users can view all documents assigned to a particular publication , or you can publish documents on their own. If users have not been granted access, then they cannot view your protected PDF documents.

Do users have to be connected to the Internet in order to view my secure PDF documents?

No.

You can allow secure PDF documents to be viewed offline.

All document controls (preventing copying, printing, etc.) are retained within the document itself and therefore no internet connection is required to enforce controls. Please bear in mind, however, that an initial connection to the Internet is required to validate the user license and obtain the appropriate decryption key(s) when users view your protected PDF documents for the first time. Also, if you have specified a limited number of prints or views or enabled tracking, an Internet connection will be required to verify the control.

Won’t users be able to photocopy my protected PDF documents if I let them print?

Yes.

However, you can add a watermark image and/or text to be displayed on the printed document. Using a moiré image will ensure only poor quality photocopies can be made, and adding user information (name, email address, company) will enable you as the publisher to identify the source of the document while discouraging sharing.

Can I customize Safeguard PDF Security with user’s names so I can identify where printed documents came from?

Yes.

When protecting PDF documents, you can add watermark text with dynamic system variables (user name, email address, company name and date/time). This information is automatically inserted into the protected PDF document when it is viewed and/or printed.

You therefore only ever have to protect a PDF document once for it to be uniquely tied to individual users.

I want a watermark to be applied when the document is printed but not viewed. Is this possible?

Yes.

You can choose to have watermarks inserted only when the document is viewed, only when the document is printed, or when the document is viewed and printed.

You can have different watermarks applied to viewed and printed content.

How is the licensing system managed?

The licensing system is web-based and is extremely simple to use.

To issue users with a license, you just enter their name and email address on the user account creation page and they are automatically sent a license file and download link for the free secure PDF Viewer software.

You can view all active and non-active users, , how many times they have attempted to activate their license and from which device and IP address. You can also allocate additional licenses and delete users from the system.

The licensing system transparently manages the document decryption keys so all you have to do is grant users access.

Is there a limit to the number of documents I can protect or the no. of customers that can receive protected PDFs?

No.

You can protect as many PDF documents as you want. Your plan terms determine the number of users you can add to your administration system. The Secure PDF Viewer users download to view your secure PDF files is totally free of charge.

Can I add existing users to future secured PDF documents or publications?

No.

You can protect as many PDF documents as you want at no extra cost. There is no limit on the number of users you can add to the administration system or who can view your protected PDF documents.

The Secure PDF Viewer that users download to view your secure PDF files is totally free.

What software do users need on their computers in order to view my secure PDF documents?

They need to download and install our free viewer software – Safeguard Secure PDF Viewer.

The Secure PDF Viewer software can be freely distributed and published on your own website if you prefer.

Alternatively, if users don’t want to install any software they can use our Web Viewer (any OS) or USB Viewer (Windows only) to access protected PDF documents.

In addition, you need to create a user account on the administration / licensing server, so the system can email them their license file. The activation of the license gives them access to the protected PDF document(s) you have licensed them to use.

Can I tell people where to buy a license from if they have not got one?

Yes.

When you protect a PDF file, you can add a free-format text message to it. You might want to enter information on how to purchase if you are selling PDF documents or ebooks, or give details on contacting your administrator if the system is used for internal document control.

This text is shown when a customer opens an unlicensed document. The text is also visible at the top of the protected PDF document if they try to open it with a text editor or a similar application such as Notepad or MS Word.

I sell ebooks and want customer records to be automatically created on the Administration system so that there is no delay in customers receiving their license emails after purchase. How can this be achieved?

You need to purchase our eCommerce API to achieve this.

The system integrates with your existing eCommerce or shopping cart system and works by acting on HTTP PUT commands sent to the Locklizard licensing server. This creates the user account and specifies what publications and or files they are allowed to access.

I need to encrypt PDF documents on the fly for integration with my web based application. Is this possible?

Yes.

The Safeguard PDF Security Command Line PDF encryption utility automates the protection of multiple PDF files on the command line or through a batch interface.

Batch files can be called from your existing applications, providing a quick and simple solution without the need to use an API. All the functionality available in the Safeguard Writer GUI can be accessed using the command line utility.

You may also prefer to use this feature rather than manually protecting PDF files. This will allow you to maintain an audit trail over the control settings that were applied.

Can I prevent the default document splashscreen from loading?

Yes. You decide whether you want a splashscreen displayed or not.

If you do decide to display a splashscreen you can choose what image is displayed, and how long it is displayed for.

Does the administration system keep a record of changes made to user, document and publication records?

Yes.

The administration system logs all administrator activity including record additions, edits, and deletions.

In addition, it records log-ons and backup and restore information.

Does Safeguard PDF Security work with Sharepoint?

Yes.

See Sharepoint Document Security.

Can I see which users have viewed/and or printed my protected PDF documents?

Yes.

If you enable document tracking, the administration system will record when users view and print your documents. You can even see which documents have been viewed/printed the most.