Making PDFs More Secure in LibreOffice Writer

PDFs date from a less security-conscious era than our own. However, over the years, the PDF format has added security features. Today, if you need security, you have two choices: passwords and permissions for casual security of digital certificates or GNU Privacy Guard (GPG) keys for serious encryption. Both are available from tabs on LibreOffice's PDF Options window when exporting to PDF.

Passwords and Permissions

PDFs have their own system of passwords and permissions, which are available from File | Export As | Export As PDF… | PDF Options | Security (Figure 1). To set them up, begin by entering a password to open the exported file, and a second one to alter the permissions (in other words, how the files can be used). After the second password is entered, three kinds of permissions are available: Printing, Changes, and Contents. Together, options can be as strict as allowing a user only to view the file, or as loose as allowing any user to alter the file at will, or something in-between.

Figure 1: The Security tab in the PDF Options window offers a casual grade of security with a variety of options.

Dating from a less security-conscious era, the reasons for these restrictions may seem arbitrary today. For example, why restrict printing to 150dpi, a resolution that is low, but still allows printed pages to be scanned and enhanced? The inability to print in high resolution seems trivial compared to the ability to print at all. Similarly, the combinations of allowable changes seems inconvenient. For instance, while you may not want users to fill in forms, why is there no way to allow comments on forms alone.

In fact, before setting permissions on a PDF file, you might ask if doing so is worth the effort. Over the years, PDFs have been notorious for security weaknesses; unsurprisingly, numerous ways to bypass a password are available. On Windows, proprietary applications like PDFelement or iSumsoft PDF Password Refixer are available for downloading. On Linux, PDFCrack does dictionary-supported brute force attacks to open a password-protected PDF. Easier still, Ghostscript can bypass the password with:

gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite
  -sOutputFile=[unencrypted.pdf] -c .setpdfwrite
  -f [encrypted.pdf]

And these are just the available tools I found in a five minute search. Undoubtedly, other tools are available, no matter what operating system you use. Moreover, once the file is opened, of course, all the carefully set permissions can be altered without any problem.

PDF permissions can be classified as a subset of security through obscurity – the practice of not mentioning security risks and hoping no one notices, which is widely condemned by security experts. Better yet, PDF permissions could be described as security through ignorance, working only so long as users have no idea how wide-open they are to anyone who can do a web search. All they are really useful for is controlling unsophisticated users' behavior. Anyone who really wants to bypass the password and the permissions will find a way to do so.

Digital Certificates and GPG

Two secure alternatives to permissions are available from File | Export As | Export As PDF… | PDF Options | Digital Signatures (Figure 2). These alternatives do not allow you to fine-tune how a PDF file can be used or edited, but they do provide stronger security than permissions. In addition, they guarantee that a sent file is actually from you.

Figure 2: The Digital Signatures tab of the PDF Options window is the place to add advanced encryption.

These alternatives are to obtain a digital certificate from a certificate authority or to generate personal keys yourself. Certificates and keys are simply alternative names for the same tool: a passphrase-protected system of encryption. They both consist of a private certificate or key and a public one that the recipient must be sent in order to read the files you send. As the originator, you can use the certificate or key to read your own encrypted files.

Digital certificates are probably best-known in corporate circles. They require interacting with a certificate authority, whose reputation presumably adds weight to the authenticity of the certificate you receive from it. The exact details of using a certificate varies with the certificate authority, your browser, and your version of LibreOffice, but here is a summary of the general steps:

1. Sign into a free-cost certificate authority site like the Linux Foundation’s Let’s Encrypt (Figure 3) and follow the steps to generate a certificate.
2. Locate the certificate in your web browser’s preferences or set up and make it available for files.
3. Depending on the version of LibreOffice, you may need to make Writer aware of the certificate using File | Digital Signature | Digital Signatures…, and then restart Writer.
4. Add the certificate to the PDF file using File | Export As | Export As PDF … | PDF Options | Digital Signatures, and fill out the required information. Alternatively, use File | Digital Signature to add a certificate to an already generated PDF.

Figure 3: Let’s Encrypt provides free certificates.

However, using a digital signature can be an involved process. Despite the name, in recent versions of Writer, the Digital Signatures tab also recognizes keys created using a variant of Pretty Good Privacy (PGP), such as GPG. By using GPG, in effect, you sacrifice whatever reassurances using a certificate authority may have for the convenience of doing everything yourself (Figure 4).

Figure 4: The start of generating a key in GPG.

If you already used GPG, the process of adding a key to a PDF file is similar to any other use. To generate keys with GPG, run the command:

gpg --full-generate-key

GPG takes you through the five steps in creating keys: adding your name and email, creating a passphrase, choosing the algorithm, setting the key size, and assigning an expiration date. If you are unsure about some of the technical choices, you can always accept the defaults. As a last step, you should create a revocation certificate, which allows you to make the new key invalid if it is ever compromised, with the command:

gpg --armor --output revoke.asc --gen-revoke PUBLIC KEY ID

The key can be selected and details added on the Security tab of the PDF Options window.

Once the key is created, you can send out the public key with

gpg --output YOURNAME.gpg --export KEY-EMAIL

or as a protected plain text file with the format:

gpg --armor --output YOURNAME.gpg --export KEY-EMAIL

Again, the key can be selected and details added on the Security tab of the PDF Options window.

Recipients of the file can verify it is from you with:

gpg --fingerprint KEY-EMAIL

Then create a decrypted copy of the file with:

gpg --decrypt ENCRYPTED-FILE 

The file’s text appears in the command line, and an unencrypted version of the file in the same directory as the encrypted file.

Whether you choose a certificate or a GPG key depends on your preferences and convenience. From a security viewpoint, one is generally as secure as another, except that different certificate authorities may default to different levels of encryption.

Choosing the Security Method

Neither passwords and permissions nor certificates and keys are entirely satisfactory on their own. Passwords and permissions have the advantage of controlling access in particular ways, but as security features, they are so weak that in many cases they are pointless.

By contrast, certificates and keys have strong security, but their access is all or nothing – you either have access to the PDF, or you don’t. However, their lack of choice is probably preferable in most cases to the lack of acceptable security with passwords and permissions.