Making PDFs More Secure in LibreOffice Writer
LO Writer – PDF Security
Depending on your needs, LibreOffice Writer offers varying degrees of security for PDFs.
PDFs date from a less security-conscious era than our own. However, over the years, the PDF format has added security features. Today, if you need security, you have two choices: passwords and permissions for casual security of digital certificates or GNU Privacy Guard (GPG) keys for serious encryption. Both are available from tabs on LibreOffice's PDF Options window when exporting to PDF.
Passwords and Permissions
PDFs have their own system of passwords and permissions, which are available from File | Export As | Export As PDF… | PDF Options | Security (Figure 1). To set them up, begin by entering a password to open the exported file, and a second one to alter the permissions (in other words, how the files can be used). After the second password is entered, three kinds of permissions are available: Printing, Changes, and Contents. Together, options can be as strict as allowing a user only to view the file, as loose as allowing any user to alter the file at will, or something in-between.
Dating from a less security-conscious era, the reasons for these restrictions may seem arbitrary today. For example, why restrict printing to 150dpi, a resolution that is low, but still allows printed pages to be scanned and enhanced? The inability to print in high resolution seems trivial compared to the ability to print at all. Similarly, the combinations of allowable changes seem inconvenient. For instance, while you may not want users to fill in forms, why is there no way to allow comments on forms alone?
In fact, before setting permissions on a PDF file, you might ask if doing so is worth the effort. Over the years, PDFs have been notorious for security weaknesses; unsurprisingly, numerous ways to bypass a password are available. On Windows, proprietary applications like PDFelement or iSumsoft PDF Password Refixer are available for downloading. On Linux, PDFCrack does dictionary-supported brute force attacks to open a password-protected PDF. Easier still, Ghostscript can bypass the password:
gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=[unencrypted.pdf] -c .setpdfwrite -f [encrypted.pdf]
And these are just the available tools I found in a five minute search. Undoubtedly, other tools are available, no matter what operating system you use. Moreover, once the file is opened, of course, all the carefully set permissions can be altered without any problem.
PDF permissions can be classified as a subset of security through obscurity – the practice of not mentioning security risks and hoping no one notices, which is widely condemned by security experts. Better yet, PDF permissions could be described as security through ignorance, working only so long as users have no idea how wide-open they are to anyone who can do a web search. All they are really useful for is controlling unsophisticated users' behavior. Anyone who really wants to bypass the password and the permissions will find a way to do so.
Digital Certificates and GPG
Two secure alternatives to permissions are available from File | Export As | Export As PDF… | PDF Options | Digital Signatures (Figure 2). These alternatives do not allow you to fine-tune how a PDF file can be used or edited, but they do provide stronger security than permissions. In addition, they guarantee that a sent file is actually from you.
These alternatives are to obtain a digital certificate from a certificate authority or to generate personal keys yourself. Certificates and keys are simply alternative names for the same tool: a passphrase-protected system of encryption. They both consist of a private certificate or key and a public one that the recipient must be sent in order to read the files you send. As the originator, you can use the certificate or key to read your own encrypted files.
Digital certificates are probably best-known in corporate circles. They require interacting with a certificate authority, whose reputation presumably adds weight to the authenticity of the certificate you receive from it. The exact details of using a certificate vary with the certificate authority, your browser, and your version of LibreOffice, but here is a summary of the general steps:
Sign into a free-cost certificate authority site like the Linux Foundation's Let's Encrypt [1] (Figure 3) and follow the steps to generate a certificate.
Figure 3: Let's Encrypt provides free certificates.- Locate the certificate in your web browser's preferences or set up and make it available for files.
- Depending on the version of LibreOffice, you may need to make Writer aware of the certificate using File | Digital Signature | Digital Signatures…, and then restart Writer.
- Add the certificate to the PDF file using File | Export As | Export As PDF … | PDF Options | Digital Signatures, and fill out the required information. Alternatively, use File | Digital Signature to add a certificate to an already generated PDF.
However, using a digital signature can be an involved process. Despite the name, in recent versions of Writer, the Digital Signatures tab also recognizes keys created using a variant of Pretty Good Privacy (PGP), such as GPG. By using GPG, in effect, you sacrifice whatever reassurances using a certificate authority may have for the convenience of doing everything yourself (Figure 4).
If you already used GPG, the process of adding a key to a PDF file is similar to any other use. To generate keys with GPG, run the command:
gpg --full-generate-key
GPG takes you through the five steps in creating keys: adding your name and email, creating a passphrase, choosing the algorithm, setting the key size, and assigning an expiration date. If you are unsure about some of the technical choices, you can always accept the defaults. As a last step, you should create a revocation certificate, which allows you to make the new key invalid if it is ever compromised, with the command:
gpg --armor --output revoke.asc --gen-revoke PUBLIC KEY ID
The key can be selected and details added on the Security tab of the PDF Options window. Once the key is created, you can send out the public key with
gpg --output YOURNAME.gpg --export KEY-EMAIL
or as a protected plain text file with the format:
gpg --armor --output YOURNAME.gpg --export KEY-EMAIL
Again, the key can be selected and details added on the Security tab of the PDF Options window. Recipients of the file can verify it is from you with:
gpg --fingerprint KEY-EMAIL
Then create a decrypted copy of the file with:
gpg --decrypt ENCRYPTED-FILE
The file's text appears in the command line, and an unencrypted version of the file in the same directory as the encrypted file.
Whether you choose a certificate or a GPG key depends on your preferences and convenience. From a security viewpoint, one is generally as secure as another, except that different certificate authorities may default to different levels of encryption.
Choosing the Security Method
Neither passwords and permissions nor certificates and keys are entirely satisfactory on their own. Passwords and permissions have the advantage of controlling access in particular ways, but as security features, they are so weak that in many cases they are pointless.
By contrast, certificates and keys have strong security, but their access is all or nothing – you either have access to the PDF, or you don't. However, their lack of choice is probably preferable in most cases to the lack of acceptable security with passwords and permissions.
Infos
- Let's Encrypt: https://letsencrypt.org/
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.
-
Linux Market Share Hits New High
For the first time, the Linux market share has reached a new high for desktops, and the trend looks like it will continue.
-
LibreOffice 24.8 Delivers New Features
LibreOffice is often considered the de facto standard office suite for the Linux operating system.
-
Deepin 23 Offers Wayland Support and New AI Tool
Deepin has been considered one of the most beautiful desktop operating systems for a long time and the arrival of version 23 has bolstered that reputation.