Making PDFs More Secure in LibreOffice Writer
PDF Security
ByDepending on your needs, LibreOffice Writer offers varying degrees of security for PDFs.
PDFs date from a less security-conscious era than our own. However, over the years, the PDF format has added security features. Today, if you need security, you have two choices: passwords and permissions for casual security of digital certificates or GNU Privacy Guard (GPG) keys for serious encryption. Both are available from tabs on LibreOffice's PDF Options window when exporting to PDF.
Passwords and Permissions
PDFs have their own system of passwords and permissions, which are available from File | Export As | Export As PDF… | PDF Options | Security (Figure 1). To set them up, begin by entering a password to open the exported file, and a second one to alter the permissions (in other words, how the files can be used). After the second password is entered, three kinds of permissions are available: Printing, Changes, and Contents. Together, options can be as strict as allowing a user only to view the file, or as loose as allowing any user to alter the file at will, or something in-between.

Dating from a less security-conscious era, the reasons for these restrictions may seem arbitrary today. For example, why restrict printing to 150dpi, a resolution that is low, but still allows printed pages to be scanned and enhanced? The inability to print in high resolution seems trivial compared to the ability to print at all. Similarly, the combinations of allowable changes seems inconvenient. For instance, while you may not want users to fill in forms, why is there no way to allow comments on forms alone.
In fact, before setting permissions on a PDF file, you might ask if doing so is worth the effort. Over the years, PDFs have been notorious for security weaknesses; unsurprisingly, numerous ways to bypass a password are available. On Windows, proprietary applications like PDFelement or iSumsoft PDF Password Refixer are available for downloading. On Linux, PDFCrack does dictionary-supported brute force attacks to open a password-protected PDF. Easier still, Ghostscript can bypass the password with:
gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=[unencrypted.pdf] -c .setpdfwrite -f [encrypted.pdf]
And these are just the available tools I found in a five minute search. Undoubtedly, other tools are available, no matter what operating system you use. Moreover, once the file is opened, of course, all the carefully set permissions can be altered without any problem.
PDF permissions can be classified as a subset of security through obscurity – the practice of not mentioning security risks and hoping no one notices, which is widely condemned by security experts. Better yet, PDF permissions could be described as security through ignorance, working only so long as users have no idea how wide-open they are to anyone who can do a web search. All they are really useful for is controlling unsophisticated users' behavior. Anyone who really wants to bypass the password and the permissions will find a way to do so.
Digital Certificates and GPG
Two secure alternatives to permissions are available from File | Export As | Export As PDF… | PDF Options | Digital Signatures (Figure 2). These alternatives do not allow you to fine-tune how a PDF file can be used or edited, but they do provide stronger security than permissions. In addition, they guarantee that a sent file is actually from you.

These alternatives are to obtain a digital certificate from a certificate authority or to generate personal keys yourself. Certificates and keys are simply alternative names for the same tool: a passphrase-protected system of encryption. They both consist of a private certificate or key and a public one that the recipient must be sent in order to read the files you send. As the originator, you can use the certificate or key to read your own encrypted files.
Digital certificates are probably best-known in corporate circles. They require interacting with a certificate authority, whose reputation presumably adds weight to the authenticity of the certificate you receive from it. The exact details of using a certificate varies with the certificate authority, your browser, and your version of LibreOffice, but here is a summary of the general steps:
- Sign into a free-cost certificate authority site like the Linux Foundation’s Let’s Encrypt (Figure 3) and follow the steps to generate a certificate.
- Locate the certificate in your web browser’s preferences or set up and make it available for files.
- Depending on the version of LibreOffice, you may need to make Writer aware of the certificate using File | Digital Signature | Digital Signatures…, and then restart Writer.
- Add the certificate to the PDF file using File | Export As | Export As PDF … | PDF Options | Digital Signatures, and fill out the required information. Alternatively, use File | Digital Signature to add a certificate to an already generated PDF.
However, using a digital signature can be an involved process. Despite the name, in recent versions of Writer, the Digital Signatures tab also recognizes keys created using a variant of Pretty Good Privacy (PGP), such as GPG. By using GPG, in effect, you sacrifice whatever reassurances using a certificate authority may have for the convenience of doing everything yourself (Figure 4).
If you already used GPG, the process of adding a key to a PDF file is similar to any other use. To generate keys with GPG, run the command:
gpg --full-generate-key
GPG takes you through the five steps in creating keys: adding your name and email, creating a passphrase, choosing the algorithm, setting the key size, and assigning an expiration date. If you are unsure about some of the technical choices, you can always accept the defaults. As a last step, you should create a revocation certificate, which allows you to make the new key invalid if it is ever compromised, with the command:
gpg --armor --output revoke.asc --gen-revoke PUBLIC KEY ID
The key can be selected and details added on the Security tab of the PDF Options window.
Once the key is created, you can send out the public key with
gpg --output YOURNAME.gpg --export KEY-EMAIL
or as a protected plain text file with the format:
gpg --armor --output YOURNAME.gpg --export KEY-EMAIL
Again, the key can be selected and details added on the Security tab of the PDF Options window.
Recipients of the file can verify it is from you with:
gpg --fingerprint KEY-EMAIL
Then create a decrypted copy of the file with:
gpg --decrypt ENCRYPTED-FILE
The file’s text appears in the command line, and an unencrypted version of the file in the same directory as the encrypted file.
Whether you choose a certificate or a GPG key depends on your preferences and convenience. From a security viewpoint, one is generally as secure as another, except that different certificate authorities may default to different levels of encryption.
Choosing the Security Method
Neither passwords and permissions nor certificates and keys are entirely satisfactory on their own. Passwords and permissions have the advantage of controlling access in particular ways, but as security features, they are so weak that in many cases they are pointless.
By contrast, certificates and keys have strong security, but their access is all or nothing – you either have access to the PDF, or you don’t. However, their lack of choice is probably preferable in most cases to the lack of acceptable security with passwords and permissions.
next page » 1 2
Issue 268/2023
Buy this issue as a PDF
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
KDE Plasma 5.27 Beta is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.
-
Critical Linux Vulnerability Found to Impact SMB Servers
A Linux vulnerability with a CVSS score of 10 has been found to affect SMB servers and can lead to remote code execution.
-
Linux Mint 21.1 Now Available with Plenty of Look and Feel Changes
Vera has arrived and although it is still using kernel 5.15, there are plenty of improvements sure to please everyone.