PDF DRM Security FAQs

PDF Security FAQs – DRM PDF Protection without Passwords

  Free Trial & Demo

“Fantastic product… outstanding support.”

“We would recommend Locklizard to others”

“The clear leader for PDF DRM protection”

“Our ebook sales have gone through the roof”

“Simple & secure – protects IPR from theft”

Trusted by:

It can be very difficult to understand how encryption differs from DRM, licensing, and the role that each technology plays in document protection.

Encryption is used to prevent anyone who does not have the right key from decrypting information.  It may also be used to indicate the source of the encrypted file and provide proof that the encrypted file has not been altered since it left its source.  What it does not do is control subsequent use of the information once it is decrypted.

That is where DRM controls come in.  They act as an additional layer of access controls that come into play after content has been decrypted but before it is displayed in the device (reader, browser, etc.). DRM licensing controls check that the user is authorized to use the document, which DRM controls are to be applied (preventing printing, editing, copying, etc.), whether the activity needs to be logged, if the document is valid and still available, and so on.  Only if the DRM licensing controls are met does the document become available for decryption, and then only on the terms granted by the publisher (with printing and editing disabled, expiry after a certain date, etc.).

So, encryption is a very powerful tool for preventing unauthorized access, but it does not stop those who are authorized from doing what they want with the information.  DRM uses encryption as a tool to enable it to enforce the controls set on protected documents.  Locklizard systems deliver a powerful range of DRM controls to ensure the right level of protection is applied to PDF DRM documents both online and offline

Safeguard PDF Security is for the smaller publisher or small-medium business looking to protect their PDF documents.  It does not have all the functionality of Enterprise PDF DRM such as:

  • Document tracking and auditing
  • reports
  • batch changes
  • configurable messages
  • backup & restore
  • license transfer
  • country and IP restriction
  • administrator hierarchy
  • and more

For a complete list of differences, see the PDF security comparison chart.

Unlike the Adobe approach, Safeguard PDF Security uses state-of-the-art web-based licensing to control who can install and activate the license which provides access to the decryption keys required to view your secure PDF documents.

This ensures that before someone can view your protected PDF documents, they must first purchase a license from you.  Only with a license file can they install the free Secure PDF Viewer and activate it in order to view protected documents.  The licenses you issue are one-time use (unless you specify otherwise), so once someone has activated their license on one device they cannot activate it on another.   This prevents sharing of the license information or users from installing and activating it on more than one computer or device.  The keys used to decrypt the secure PDF files cannot be extracted from the system and therefore cannot be given to others either.

With Acrobat PDF security, there is nothing to prevent users from sharing the keys used to decrypt protected PDF files.  This is true for both PKI keys and passwords.  If PKI keys have been used, then users can give their private key to others.  If passwords have been used, then it is a simple matter of telling someone else what the password is so that they can use it. You cannot prevent or detect either situation.

Adobe has also been criticized for its weak implementation of security controls via the Adobe Security Handler.   Any company that uses an Acrobat plug-in for security purposes, also uses the Adobe implementation to ‘protect’ your PDF documents.  Read this article published by Adobe Certified expert Bryan Guignard on why we don’t use Adobe’s implementation / Acrobat plug-in for the protection of your PDF documents.

No.  While you can use Locklizard to create your own secure data room, it is not a secure data room system.

  • You protect PDF documents on your computer (you don’t upload unprotected files to a web server) and distribute them just like any other file.
  • There is no login process so credentials (and therefore your documents) cannot be shared with other users.

‘Secure’ data rooms have many security issues and are not suitable for secure document sharing.

See how Locklizard compares to secure data rooms and other document security systems – Locklizard vs competitors.

Or how Locklizard compares to a secure data room system such as DocSend or Digify.

Cost / ROI

Many Digital Rights Management (DRM) or Enterprise Rights Management (ERM) systems have significant costs, charging you for the number of users, documents, and storage space.  This can all quickly add up.  In addition, you are locked into a subscription system that requires monthly or yearly payments.

We let you protect as many documents as you like and manage as many users as you want without any additional.  You can purchase perpetual and one-time server licenses so you are not tied into expensive subscriptions.  With Locklizard, you know your costs are fixed and predictable, instead of us charging for your success.

Zero installation Viewers

Our Secure USB Viewer provides exactly the same DRM security as our desktop viewer but does not have to be installed by the user.  Users don’t have to connect to a licensing server to register or verify access, or even have an Internet connection available.   It therefore avoids conflicts with firewalls or situations where Windows admin rights or internet access are not allowed.  Our Secure USB Viewer allows users to use protected PDF documents instantly on any computer wherever they are.

The Web Viewer can be accessed via a browser on any Operating System.  Whilst less secure than our installed Viewers, it gives users additional flexibility for accessing files on the move.

Simpler to use, easier to manage

There are no passwords or certificates to worry about, manage or send to users.  Decryption keys are transparently relayed to users’ computers in a secure manner and stored in an encrypted keystore.

Protecting PDF files is easy – just right-click on them in Windows Explorer and select the appropriate PDF document protection rights.  There are no complex document identifiers, encoding schemes, or confusing policy choices.

We also provide the unique concept of publications, enabling you to group documents into publications for simpler document management and customer subscription services.

Whilst we use public key technology, no key management is required by you as the publisher or by your users or customers, as it is all handled transparently by the licensing system.  There are no certificates to revoke when you want to terminate user access or any other PKI complexity.

See what our customers have to say about us – DRM Security Testimonials.

Simple assigning of document access rights

Many of our competitors provide controls at the user level.  This is fine if you are certain that all the PDF documents you ever send to a user will require identical controls. But that’s often not the case.

We provide controls at the document level.  This means you can decide how important the document is.  This more closely reflects the value of the information, rather than assuming that the user always has the same rights for every document you make available to them.

In our system, you can publish the same document more than once and apply different controls to each publication. Additionally, expiry can also be controlled at both the document and the user level.

Prevention of third-party screen grabbers

At best, our competitors prevent the use of Windows print screen or use JavaScript to disable right-clicking in the browser.  Most users, however, have screen-grabbing software installed on their computers (often as part of the Operating System) that enables them to use any key combination to grab screenshots of your protected PDF documents.  Preventing just the use of Windows the printscreen key is therefore useless.  Safeguard PDF Security prevents screen grabbing software from taking screenshots of your protected PDF documents.

Security

We don’t use insecure passwords, low-strength encryption, or plug-ins that are vulnerable to attack, so you can be sure that your PDF documents are protected using the best security available.

We don’t use JavaScript either, since this can seriously compromize your customer’s computers.  JavaScript is the No. 1 malware attack for PDF files – see PDF security issues.

We don’t leave your documents decrypted on disk, where they can be easily copied by others – we only decrypt content to memory.  Nor do we store unprotected files on a server.

We don’t make you upload your source files to a web server in order to protect them (where they could be easily compromized).  Many companies that provide PDF DRM in the browser, store unprotected copies of your PDF on the server so they can be used for search purposes since they display an image to the client rather than the actual PDF document.  With Locklizard, both unprotected and protected PDF files remain in your control and ownership at all times and are never exposed.

See also PDF DRM – 10 things they did not tell you.

While file encryption products protect information while it is in transit or when stored on disk, they do not provide protection for the entire lifecycle of an electronic document.  Once a document reaches the recipient, the protection is lost (the recipient decrypts the document), and the document can be forwarded, copied, and viewed by unauthorized recipients.  In addition, encryption does not provide controls over document access rights – what a user can or cannot do with the document (print, edit, etc.) – or document expiry.

Safeguard PDF Security dynamically protects PDF documents inside and outside the network, online and offline, with strong encryption, document expiry, and access rights.  This delivers persistent end-to-end protection throughout a protected PDF document’s lifecycle.

Safeguard PDF Security uses US Government strength encryption – the AES algorithm.  It would currently take today’s fastest supercomputer approximately 27,337,893 trillion trillion trillion trillion years to crack a 256-bit AES key.  For reference, the universe is thought to be 13.7 billion years old. Locklizard’s AES encryption should therefore be safe for many years, even factoring in quantum computing.  For more information on AES see NIST’s AES fact sheet.

In addition, we don’t use third-party plug-ins to control your secure document access.  This ensures we are not open to weaknesses in the published APIs or security holes in the third-party application.  A competitor that uses this approach found the only way to prevent hacking of their systems was via the legal system and a court writ.

We do not send decryption keys with the documents that are being protected.  Such a technique is discredited and is regarded as a fundamentally flawed approach.  PDF documents are only decrypted for viewing in a secure, controlled environment, and are never made accessible unprotected.  If a user does not have a license, they cannot view your protected PDF documents.

No.

The keys required to decrypt protected PDF files are safely stored encrypted on the user’s computer.

There are no passwords to enter and therefore the system is not open to compromise or password attacks.

As far as we are aware, there are no available cracks. Downloading any could compromize your system.

Please see the following document – PDC Un-protect and other PDC cracking programs.

No.

The only person that has access to PDF files is the publisher that protected them in the first place.  Even they cannot convert PDC files to PDF format using the Writer software, but since they already have the source files (the original PDF files), there would be no reason to do so.

See convert PDC to PDF.

No.

Safeguard PDF Security is totally independent from Adobe Acrobat.

We realize that there are a lot of people who do not have Acrobat installed and who don’t want to download an additional 480MB+ file just for the privilege of viewing a protected PDF document.

No.

Safeguard’s Secure PDF Viewer does not use Adobe Acrobat for the rendering of PDF files.  We feel that Adobe Acrobat was just not built with security in mind and could potentially compromize the security of our system.

Your security is not compromised by plug-in failures or conflicts.  In fact, we think that plug-ins are potentially so insecure that we prevent them from loading entirely.  This way, they can’t compromise security.  See Adobe PDF plug-in vulnerabilities.

No.

Safeguard Secure PDF Viewer specifically prevents JavaScript from loading.

Even Adobe warns users not to enable JavaScript, yet some of our competitors force users to have this enabled to view their protected PDF documents, leaving their computers wide open to hackers.

We take the position that we should not require users to reduce their effective security in order to accommodate our requirements.  See PDF security issues.

Absolutely not.

We would strongly advise against using any system that employed this approach.  Many systems that require you to upload documents to their servers also store unprotected copies for search purposes.  This is so they can deliver images of your documents to the client device while still providing search facilities on the server.

With Safeguard PDF Security you protect your PDF files on your local computer so that they are not exposed to any potential compromise in their unprotected form on a web server or whilst being transferred.  You also have peace of mind that you always have ownership over those files.

No.  You host them on your server, website, or network, or you can send them by email, message, USB, etc., just like any other file.  You are free to choose whatever distribution method is best for your business.

For both security and legal liability reasons, we never have access to either your unprotected or protected PDF files.  In a professional environment, that should not be a requirement, and we recommend that you obtain legally enforceable indemnity when a supplier insists that they have access to your IPR at any time.

What we do host is the licensing system, where you can issue users with licenses and control who can access your secure PDF documents and publications.  And, if you are not happy with that, we allow you to host it yourself.

You can publish your secure PDF documents to the web, on your website, USB device, etc., or send them by email just like any other file.

You can also publish them to Locklizard’s web viewer so users can view them using their browser instead of installing a Viewer on their device.

No, but since the documents are encrypted, and the decryption keys are not exposed to the user (so that they cannot be shared), then it does not matter if protected PDF documents are copied and given to others.  They will not be useable without the decryption key.

Locklizard only ever decrypts content in memory so that there are no temporary files left lying around with unprotected information in them.  Decryption keys are securely and transparently relayed to a keystore that is locked to individual computers and will not work if copied to another computer along with the documents.  So, whilst you cannot stop protected PDF documents from being copied, they are of no use to anyone but the authorized user.

No.

Once security settings have been applied to a document, they cannot be changed by anyone.  The settings become part of the document and remain in force at all times, even when users are using your protected PDF documents offline (i.e. they are not connected to the Internet).

If you as the publisher want to issue the same PDF document with different security settings (copying, printing, etc.) then you just protect the PDF file again with the new settings.  You can then send this newly protected PDF document to users.

Post publication document control is maintained through the use of expiry dates and the ability to revoke access to a document or user.  For example, you can publish a protected PDF document that will expire in a month’s time, so that your customers will not be able to view it once the expiration date has passed.

Or, you can automatically revoke a user if they leave a project, department or company or fail to maintain payments for a subscription.  Or revoke access to a protected document that is no longer valid.

You can also change the expiry date of a protected PDF document after it has been published.

The system is flexible so that you can do both.

You may want users to expire rather than documents so that they cannot view documents with dates outside their subscription period.

On the other hand, you may want a document to only be available for a limited time to comply with document retention policies.  In this case, once the document expiry date has been reached, the protected PDF document is no longer viewable.

Lastly, you might want to control document expiry on a user basis.  For example, you might publish documents that are available to all users (not individually allocated or part of a publication) and you want to control how long individual users can access them.

Safeguard PDF Security enables you to expire access to publications on a user basis, so expiry for every publication is unique to each user.  This is useful for subscription services where the same user may subscribe to more than one of your publications but for different periods.

You don’t have to expire user accounts for those subscribing to single publications. since access to the publication itself will expire at the date you set.  This is useful if you still want users to be able to access documents published outside of the publication (i.e. documents published for all users or those that are individually allocated).

Yes.

When you create a protected PDF document, you can specify how long it will be before it expires – e.g. 30 days, 1 year, etc.  When a customer registers, they can then view your protected PDF documents for the time period you have allocated.  Once this time period is reached, the protected PDF document will expire (if the document expires, it can no longer be viewed) and they will need to come back to you for a license to continue using it.

You can also set customer accounts to expire (say after a 30-day period).  The difference here is that any protected PDF documents published during their subscription period that you have authorized them to view can still be viewed after their subscription period has expired.  They just won’t be able to view any protected PDF documents published before or after their subscription period unless they come back to you for a license.

So, to summarize, you can either expire documents (and they are no longer viewable once they expire) or you can expire customers (and they can continue to view the documents that they were authorized to view during their subscription period).  Of course, if you have forced your customers to connect to the administration server before they can view your protected PDF documents, you can instantly suspend their account.  This prevents them from viewing any of your protected PDF documents.

Users can send your protected PDF documents, to others, but they will not be able to view them unless they have purchased a license from you and registered with the administration server.  For this reason, secured PDF documents can be freely distributed, emailed or published on the internet without unauthorized individuals able to open them..

In addition, even existing users cannot necessarily view your protected PDF documents.  You decide which users have access to what documents and what publications.  You can assign documents to publications for simpler management so that specific users can view all documents assigned to a particular publication , or you can publish documents on their own.  If users have not been granted access, then they cannot view your protected PDF documents.

No.

You can allow secure PDF documents to be viewed offline.

All document controls (preventing copying, printing, etc.) are retained within the document itself and therefore no internet connection is required to enforce controls.  Please bear in mind, however, that an initial connection to the Internet is required to validate the user license and obtain the appropriate decryption key(s) when users view your protected PDF documents for the first time.  Also, if you have specified a limited number of prints or views or enabled tracking, an Internet connection will be required to verify the control.

Yes.

However, you can add a watermark image and/or text to be displayed on the printed document.  Using a moiré image will ensure only poor quality photocopies can be made, and adding user information (name, email address, company) will enable you as the publisher to identify the source of the document while discouraging sharing.

Yes.

When protecting PDF documents, you can add watermark text with dynamic system variables (user name, email address, company name and date/time).  This information is automatically inserted into the protected PDF document when it is viewed and/or printed.

You therefore only ever have to protect a PDF document once for it to be uniquely tied to individual users.

The licensing system is web-based and is extremely simple to use.

To issue users with a license, you just enter their name and email address on the user account creation page and they are automatically sent a license file and download link for the free secure PDF Viewer software.

You can view all active and non-active users, , how many times they have attempted to activate their license and from which device and IP address.  You can also allocate additional licenses and delete users from the system.

The licensing system transparently manages the document decryption keys so all you have to do is grant users access.

No.

You can protect as many PDF documents as you want at no extra charge.  There is no limit on the number of users you can add to the administration system or who can view your protected PDF documents.

The Secure PDF Viewer users download to view your secure PDF files is totally free of charge.

No.

You can protect as many PDF documents as you want at no extra cost.  There is no limit on the number of users you can add to the administration system or who can view your protected PDF documents.

The Secure PDF Viewer that users download to view your secure PDF files is totally free.

They need to download and install our free viewer software – Safeguard Secure PDF Viewer.

The Secure PDF Viewer software can be freely distributed and published on your own website if you prefer.

Alternatively, if users don’t want to install any software they can use our Web Viewer (any OS) or USB Viewer (Windows only) to access protected PDF documents.

In addition, you need to create a user account on the administration / licensing server, so the system can email them their license file.  The activation of the license gives them access to the protected PDF document(s) you have licensed them to use.

Yes.

When you protect a PDF file, you can add a free-format text message to it.  You might want to enter information on how to purchase if you are selling PDF documents or ebooks, or give details on contacting your administrator if the system is used for internal document control.

This text is shown when a customer opens an unlicensed document.  The text is also visible at the top of the protected PDF document if they try to open it with a text editor or a similar application such as Notepad or MS Word.

You need to purchase our eCommerce API to achieve this.

The system integrates with your existing eCommerce or shopping cart system and works by acting on HTTP PUT commands sent to the Locklizard licensing server.  This creates the user account and specifies what publications and or files they are allowed to access.

Yes.

The Safeguard PDF Security Command Line PDF encryption utility automates the protection of multiple PDF files on the command line or through a batch interface.

Batch files can be called from your existing applications, providing a quick and simple solution without the need to use an API.  All the functionality available in the Safeguard Writer GUI can be accessed using the command line utility.

You may also prefer to use this feature rather than manually protecting PDF files.  This will allow you to maintain an audit trail over the control settings that were applied.

Yes.  You decide whether you want a splashscreen displayed or not.

If you do decide to display a splashscreen you can choose what image is displayed, and how long it is displayed for.

Yes.

The administration system logs all administrator activity including record additions, edits, and deletions.

In addition, it records log-ons and backup and restore information.

Yes.

If you enable document tracking, the administration system will record when users view and print your documents.  You can even see which documents have been viewed/printed the most.

NOTE:  This feature is only available in Safeguard Enterprise PDF DRM.

Yes.

You can restrict or allow various IP address ranges and country locations to ensure that only users from known locations can register.

NOTE:  This feature is only available in Safeguard Enterprise PDF DRM.

Yes.

You can suspend individual licenses on a user’s account.

You may want to do this if a user tells you they are no longer using a computer they previously registered on and would like to transfer use of their license to a new computer.

NOTE:  This feature is only available in Safeguard Enterprise PDF DRM.

Yes.

You choose how many days before a document expires that the document expiry message is displayed (or URL redirect), giving users ample time to renew their subscriptions.

NOTE: This feature is only available in Safeguard Enterprise PDF DRM.

Yes.

Through the batch change facility, you can grant ALL users access to a publication or document in a single mouse click.  You do not have to select individual users to do this.

NOTE:  This feature is only available in Safeguard Enterprise PDF DRM.

No.  Safeguard PDF Security does not provide remote file deletion or secure file deletion.

However, once a file expires, it is unusable to the user, as it can no longer be opened.

Remote secure file deletion products are a marketing ploy than anything else.  There is nothing to prevent users making copies of files and storing them on another device or to setting a file to ‘read only’.  Some software products can get around read-only controls, but they need code that bypasses the expected behavior of the operating system.  That is most definitely a ‘bad’ idea, and exactly what hackers and viruses set out to do.

Peter Gutmann, the noted computer scientist in New Zealand, points out about secure file deletion methods – “the 35 pass overwrite technique …. is a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques.” – and as Government agencies note, the only way to prevent data recovery is to physically destroy a disk.

You can revoke document access by suspending or deleting a document, or by changing the date access range for a document.  You can revoke document access for all users or selected users.

You can also revoke document access automatically:

  • on a specific date
  • after a certain number of days use
  • after a number of views
  • after a number of prints

More information can be found at Revoking Document Access & Document Expiry.

Adobe experience manager document security is an Enterprise Rights Management solution that provides support for multiple file types including Office files.  It is designed mainly for enterprise use within an organization and requires an IT person or department to configure the installation and policies governing use.

Customer Testimonials