How secure is your PDF handling? Exploring encryption features in PDF SDKs

PDFs have become a cornerstone of digital document sharing, offering compatibility across devices and operating systems. However, this convenience often comes with the challenge of ensuring sensitive information remains secure. This blog post will explore how Nutrient can help you implement robust encryption and other security features to safeguard your documents.

Why PDF security matters

Sensitive documents such as contracts, financial statements, and confidential reports are often shared in PDF format. Without adequate security measures, these files are vulnerable to unauthorized access, copying, or distribution. Nutrient offers a range of features to mitigate these risks, ensuring your files are shared safely.

Key PDF security features in PDF SDKs

1. Encryption and password protection

What is AES encryption?

The Advanced Encryption Standard (AES) is a symmetric encryption algorithm widely used to secure digital data. It’s known for its high security and efficiency, making it a standard choice for encrypting sensitive documents, including PDFs.

AES uses encryption keys of different lengths (128, 192, or 256 bits). The higher the key length, the stronger the encryption. This method ensures only authorized individuals can decrypt and access the content of your PDF documents.

When a PDF is encrypted with AES, it becomes unreadable to anyone who doesn’t have the proper decryption key. AES provides robust protection, making it ideal for confidential documents.

Nutrient’s AES encryption support

Nutrient supports AES encryption for PDF documents, ensuring only authorized users can access a document’s content. Specifically, it supports:

• 128-bit AES encryption

• 256-bit AES encryption

AES was introduced with PDF 1.6 and is the strongest encryption algorithm available for newer PDF versions. Nutrient allows AES encryption on iOS and Android platforms to protect sensitive PDF documents.

• For iOS — Learn how to implement AES encryption and decryption here, and for AES data handling, refer to the AESDataProvider guide.

• For Android — You can find guidance on how to decrypt AES files here and use the AESDataProvider for Android.

Password protection

Nutrient lets you add password protection to PDF documents on all platforms. This feature helps ensure only authorized users can open and interact with a PDF.

• For iOS — Add password protection by following the iOS password-protection guide.

• For Android — Learn how to add a password to a document using the Android password-protection guide.

• For Web — Nutrient Web SDK also supports password protection for PDFs. Set a password programmatically or prompt the user to enter a password when opening a document. For more details, refer to the guide on adding password protection on Web.

• For Windows — To handle password-protected PDFs in Windows UWP applications, refer to the indexed full-text PDF search guide.

• For SharePoint — Secure PDFs and other file formats in SharePoint by following the guide on securing documents in SharePoint.

Combined security

When a password is set on a PDF, Nutrient automatically applies AES encryption, ensuring the document is protected and inaccessible to anyone who doesn’t know the password. By default, Nutrient uses the strongest available encryption algorithm to secure the document.

Combining AES encryption with password protection, Nutrient ensures your PDFs are well-secured across iOS, Android, and Web platforms.

For more detailed information on implementing these features, check out the following guides:

• AES encryption on iOS

• Password protection on Android

• Password protection on Web

Nutrient’s approach of combining AES encryption with password protection makes it an excellent choice for developers looking to ensure robust security for PDF documents across multiple platforms. When a password is applied to a PDF, Nutrient automatically encrypts the PDF, safeguarding its contents.

2. Digital signatures

What are digital signatures?

While encryption protects the content of your PDFs, digital signatures authenticate documents and verify they haven’t been altered since they were signed. A digital signature provides proof of the identity of the signer and assures a document is genuine.

A digital signature uses a pair of cryptographic keys: a private key to sign a document, and a public key for verification. This ensures anyone receiving the document can verify it hasn’t been tampered with and that the signature is from a trusted source.

Adding a digital signature to your PDF guarantees the document’s integrity and authenticity. It’s essential for legal documents, contracts, and any situation where proving the origin of a document is critical.

Nutrient’s digital signatures support

In addition to encryption and password protection, Nutrient Web SDK provides support for digital signatures to further secure PDF documents. This feature allows users to sign PDFs digitally, ensuring document integrity and authenticity. The digital signature feature in the Web SDK includes capabilities such as:

• Signing PDF documents — Users can apply digital signatures to PDFs, which can be verified and trusted.

• Signatures using private keys — Digital signatures are created using private keys, ensuring the authenticity and integrity of a document.

Nutrient SDKs support digital signatures across the platforms outlined below.

Web-based platforms

• HTML5 PDF digital signature library

• React PDF digital signature library

• TypeScript PDF digital signature library

• Next.js PDF digital signature library

• Nuxt.js PDF digital signature library

• jQuery PDF digital signature library

• Svelte PDF digital signature library

Microsoft-specific platforms

• ASP.NET PDF digital signature library

• Blazor PDF digital signature library

Desktop and mobile platforms

• iOS PDF signature library

• Android PDF signature library

• Digital signatures in C# .NET

Cross-platform

• Sign PDFs in React Native

For the most up-to-date information on each platform’s capabilities, consult the respective platform-specific documentation on our website.

By integrating digital signatures, Nutrient ensures your PDFs are not only encrypted, but also validated and authenticated, making it an excellent choice for developers needing secure document handling across various platforms.

Combining AES encryption and digital signatures

Now that you understand both AES encryption and digital signatures, keep reading to find out why you might want to combine these two powerful security features.

AES encryption ensures your PDF content is secure and only accessible by authorized users. Meanwhile, a digital signature authenticates a document, confirming it hasn’t been altered. Together, these two methods provide comprehensive protection for your PDF documents — both securing the content and verifying the document’s authenticity.

Imagine you’re sending a confidential contract to a business partner. You can:

1. Encrypt the document using AES so only the partner can open it.

2. Sign the document digitally, ensuring they can verify that it was you who sent it and that it hasn’t been changed.

3. Redaction for sensitive information

Redaction ensures sensitive information is permanently removed from a document, which is critical in environments where confidentiality and privacy are paramount. Nutrient SDKs provide comprehensive redaction features across multiple platforms, allowing you to protect private data by removing it from PDF documents.

Key redaction features

• Manual and automated redaction — Redact sensitive information manually or through programmatic methods.

• Search and redact — Automatically identify and redact specific sensitive terms using search functionalities.

• True redaction — Permanently remove content from PDFs, ensuring it cannot be retrieved later.

Nutrient SDKs support redaction across a wide range of platforms, including web-based frameworks (HTML5, React, Angular, Vue.js, etc.), Microsoft-specific platforms (ASP.NET, SharePoint, etc.), and mobile platforms (iOS, Android).

For more details on how to implement redaction in your project, refer to the platform-specific documentation on the Nutrient website.

• HTML5 PDF redaction library

• React PDF redaction library

• Angular PDF redaction library

• iOS PDF redaction library

• Android PDF redaction library

• ASP.NET PDF redaction library

• SharePoint PDF redaction library

Explore more in Nutrient’s introduction to redaction.

4. Adding watermarks

Watermarks serve as a visual deterrent against unauthorized sharing and help safeguard the confidentiality of documents. Nutrient SDKs offer robust watermarking features that allow you to:

• Embed visible watermarks, such as a recipient’s name, email, or timestamp.

• Apply invisible watermarks that are detectable only with digital forensic tools.

Watermarks can be programmatically added to every page of a document, ensuring consistent branding or confidentiality notices throughout. This is particularly useful for tracking or preventing unauthorized distribution of sensitive content.

Key watermarking features

• Types of watermarks — Add text, images, barcodes, QR codes, and other elements.

• Customizable placement — Apply watermarks to specific pages or page ranges (e.g. odd, even, portrait, landscape).

• Appearance customization — Adjust color, opacity, size, and position.

• Dynamic content — Include dynamic content like dates, times, and page numbers.

• Multiple watermarks — Add multiple watermarks to the same page for layered security.

Platforms supporting watermarks

Nutrient SDKs support watermarking across a wide range of platforms, including web-based (HTML5, React, Angular, Vue.js, Next.js, Nuxt.js, and more), Microsoft-specific (ASP.NET, SharePoint, Teams, OneDrive), and mobile platforms (iOS and Android). You can also apply watermarks on desktop platforms like Windows (UWP) and via server-side solutions such as Document Converter Services and Power Automate.

For example:

• Mobile platforms — Add watermarks on iOS and Android programmatically.

• Server-side and API — Perform watermarking via Document Converter Services and Power Automate.

• Desktop (UWP) — Real-time watermarking is possible with Windows UWP.

Benefits of watermarking

• Brand protection — Embed your brand’s name, logo, or identifiable marks to prevent unauthorized use.

• Confidentiality — Add invisible watermarks that can only be detected through specialized tools, ensuring document integrity.

• Tracking and compliance — Use dynamic watermarks to track document access or ensure compliance with privacy policies.

Each platform has its unique method of implementing watermarking. For detailed implementation instructions, refer to the specific documentation links above.

5. Server-backed security

Server-backed security is essential for protecting sensitive documents and data in environments where control over security is critical. Nutrient Document Engine provides enhanced security features that allow you to manage documents within your infrastructure while ensuring they’re kept safe. Below is a breakdown of the security features provided by Document Engine.

1. Self-hosted deployment

Document Engine can be deployed on your own infrastructure, ensuring you have full control over your data. This self-hosted option allows you to secure your documents without relying on external servers. It also enables organizations to comply with strict data protection regulations and maintain privacy. Learn more about self-hosting in the Document Engine security guide.

2. Authentication and authorization

Document Engine uses JSON Web Tokens (JWTs) for secure authentication. JWTs ensure only authorized users can access the documents stored within Document Engine. Additionally, you can configure detailed user permissions to control who can view, edit, or annotate the documents. This granularity ensures sensitive documents are only accessible by authorized personnel.

3. API access and security

The Document Engine API is secured through API access tokens. These tokens are used to authenticate API requests, ensuring only authorized clients can interact with the system. The API access is fully configurable, allowing you to define and limit access to specific actions within the system.

4. Encryption

Document Engine ensures all data is securely encrypted both at rest and in transit. This means documents are protected while being stored on your server, as well as during transmission between clients and the server. Document Engine uses industry-standard encryption protocols to safeguard sensitive information, minimizing the risk of unauthorized access.

5. No external access

Document Engine ensures Nutrient has no access to your instance, documents, or annotations. This guarantees your data remains private and that no external entity can access your documents, ensuring full compliance with privacy and security regulations.

6. Optional dashboard access

If your setup includes an optional dashboard for managing documents, this dashboard is secured using configurable credentials, ensuring only authorized users can access and manage your documents. The dashboard can be tailored to meet your organization’s specific security and user access requirements.

For more details on how to secure your documents and implement robust security measures with Document Engine, refer to the full Document Engine security guide.

6. Restricting downloads and printing

For documents that need to be viewed but not downloaded or printed, PDF SDKs, including Nutrient’s solutions, offer features to enforce these restrictions. By integrating these controls, you can:

• Prevent users from saving local copies of documents.

• Disable printing to avoid unauthorized distribution.

Read on to learn how you can implement these restrictions across various platforms.

1. Web

Nutrient Web SDK provides options to restrict both downloading and printing. You can disable the export toolbar item to prevent downloads and use the JavaScript API to disable printing functionality.

Learn how to enable or disable permissions in the JavaScript viewer.

2. iOS

Nutrient iOS SDK supports restricting printing. If the printing permission isn’t granted, the print activity will be removed from the available sharing options.

Learn more about configuring permissions in the iOS PDF viewer.

3. Android

Nutrient Android SDK allows restricting printing through the PRINTING permission in the DocumentPermissions class. This helps prevent unauthorized printing of documents.

Explore the printing permission documentation.

4. Nutrient Web SDK with Document Engine

When using Nutrient Web SDK with Document Engine, you can prevent both downloading and printing on client devices. This ensures documents cannot be saved or printed when accessed via the server-backed solution.

Learn more about document security using Nutrient Web SDK with Document Engine.

While these platforms support restricting downloads and printing, it’s important to note that these restrictions cannot fully guarantee against determined users circumventing them, especially in web environments. However, they provide a significant deterrent to unauthorized distribution.

7. View-only access

Enabling view-only access ensures users can open and view documents in a secure environment without the ability to modify or download them. Nutrient SDKs support view-only functionality across several platforms, allowing you to control how users interact with your documents.

The following sections detail how view-only access is implemented across different platforms.

1. Web

Nutrient Web SDK supports view-only access using the PSPDFKit.ViewState#readOnly property. When this property is set, the viewer is locked to read-only mode. In this mode, the UI for creating, updating, and deleting annotations is hidden, and users cannot select or interact with annotations.

Learn more about customizing annotation permissions.

2. SharePoint

Nutrient SharePoint SDK enables viewing PDF, Word, Excel, and PowerPoint documents directly in a web browser. Although “view-only” mode isn’t explicitly mentioned, the SDK emphasizes document viewing capabilities, indicating support for view-only access.

Explore the SharePoint document viewer library.

3. OneDrive

Similar to SharePoint, Nutrient OneDrive SDK supports viewing PDF and Office documents directly in a web browser, implying view-only functionality.

Explore the OneDrive document viewer library.

4. Microsoft Teams

Nutrient Teams SDK provides support for viewing PDF and Office documents within Microsoft Teams, suggesting view-only access is available in this environment as well.

Explore the MS Teams document viewer library.

5. Document Engine

When using Web SDK with Document Engine, you can control user permissions via JWTs. By omitting the write permission from the JWT, you can enforce a read-only (view-only) mode for documents.

Learn more about document security using Nutrient Web SDK with Document Engine.

By embedding a secure viewer in your application, you’ll both ensure sensitive content remains protected and maintain full control over how users interact with your documents.

Best practices for securing your PDFs

1. Use strong passwords — Ensure your encryption password is complex and unique. Avoid using simple, guessable passwords for protecting PDFs.

2. Enable multi-factor authentication (MFA) — For sensitive documents, combine PDF encryption with MFA for an additional layer of security.

3. Monitor document usage — Some PDF SDKs offer analytics features to track who has accessed the document and when.

4. Keep your SDK updated — Security vulnerabilities can be patched in newer versions of SDKs, so always use the latest version.

5. Implement redaction — Regularly review and redact sensitive information in documents to avoid inadvertent exposure.

6. Combine AES and digital signatures — For maximum security, always combine AES encryption with digital signatures. This ensures both document confidentiality and authenticity.

The importance of a layered approach to document security

By combining multiple security features like encryption, restricted access, watermarks, and redaction, you create a robust and layered defense against unauthorized access and data breaches. This approach ensures that even if one layer is compromised, additional measures remain in place to protect sensitive information.

Conclusion

With Nutrient’s powerful security tools, including AES encryption, password protection, digital signatures, redaction, and watermarking, you’ll ensure your PDFs are protected from unauthorized access and tampering.

To implement these robust security features in your project, contact our Sales team today for personalized support and guidance on integrating Nutrient into your workflow. With Nutrient, secure document handling has never been easier.

FAQ

Here are a few frequently asked questions about PDF encryption techniques.

What is AES encryption, and why is it important for PDFs?

Advanced Encryption Standard (AES) is a secure encryption method used to protect PDF content from unauthorized access, ensuring data confidentiality.

How can digital signatures enhance PDF security?

Digital signatures verify the authenticity of a PDF document, ensuring it hasn’t been altered and confirming the identity of the sender.

What is the purpose of password protection for PDFs?

Password protection restricts access to PDF documents, allowing only authorized users to open and interact with them.

How does redaction improve PDF security?

Redaction permanently removes sensitive information from PDFs, ensuring private data cannot be retrieved or exposed.

What role do watermarks play in securing PDF documents?

Watermarks deter unauthorized sharing by embedding visible or invisible identifiers, which reinforces document confidentiality.