As Microsoft’s Information Protection ecosystem expands, you’ve given us feedback to expand our support for more standard file types outside of Office document formats for labeling and protection scenarios. Today we’re announcing support for the ISO specification for PDF v1.7 for encryption needs. By conforming to the ISO specification, we now support a more robust native integration with PDF documents.
What is this new PDF encryption standard?
PDF documents have always had an encryption standard since the initial specification of PDF documents. In 2008 ISO released a PDF document specification called PDF v1.7, which included several optimizations of the PDF document format. The PDF v1.7 specification focused on the following optimizations:
Preservation of PDF document fidelity across devices
Merging content from diverse sources (web sites, Office documents, photos, scanned documents and graphics) while maintaining the integrity of the original formats
Support for digital signatures
Extraction and reuse of content to use with other file formats
PDF v1.7 was a significant overhaul of the PDF document standard. Contained within the standard PDF encryption standards were new specifications on how to implement rights management and support for encryption algorithms. This section of the PDF v1.7 specification is referred to as PDF IRM v2.
What are the some of the capabilities that PDF IRM v2 support enables?
The PDF IRM v2 specification covers encryption support in two key contexts:
Password protected encryption
General encryption support for rights management capabilities
Note: Password Protected encrypted documents cannot be re-encrypted with rights management functions
The focus of this blog is the general protection for rights management. This is technology agnostic; the specification provides guidelines for security vendors who wish to encrypt content for rights management and how to correctly encrypt PDF documents.
Some of the main features of this PDF IRM v2 specification include:
Native integration of rights management capabilities within the PDF document
Ability to encrypt just the content payload and not the meta-data associated with the document
The extension of the PDF document does not change – only PDF Readers and composing applications that are enlightened to enforce the rights are aware of how to open the document
Support for advanced encryption algorithms such AES -256
With these benefits, customers can have a similar experience as they have with Office applications from a document protection context.
What about data sensitivity labels?
The PDF IRM v2 specification covers encryption capabilities and does not call out labeling standards. But PDF documents can be classified and labeled, and the label meta-data gets embedded within the PDF document, whether it’s encrypted or not. The additional benefit of conforming to the encryption standard is that the label meta-data is not encrypted even when the actual content payload is encrypted. This allows for solutions like Data Loss Prevention (DLP) to be able to read the label classification and not have the need to decrypt the content. We’ve added controls to protect against label tampering by embedding the LabelID within the document Publishing License. The benefit of this is that when a document’s label properties change to a malformed value, the original label information is still retained.
Example of an enlightened application opening a PDF document protected with Microsoft Information Protection solutions
What is happening to the older PDF protection format supported by Azure Information Protection capabilities (formerly Azure RMS)?
Given the capabilities of the new standard and the fidelity of the user experience, the older protected PDF format (*.PPDF) will be deprecated. We will have older PDF readers that will support the older format, but we will also provide migration tools to help customers migrate to the new PDF format.
How to convert to the new PDF format
Before starting the conversion process, administrators need to enable PDF IRM v2 support in the Azure Information Protection administration portal - follow the instructions provided here.
Now that you’ve enabled the default protection to be PDF IRMv2, now let’s look at the client side. The Azure Information Protection client comes bundled with PowerShell cmdlets. We have augmented the existing labeling cmdlets to be PDF IRMv2 aware. To run these commands on all the files in a file share, we recommend that you create a PowerShell script that envelopes these commands.
The commands that enable labeling and protection for the new PDF format include:
Using the command below, the user can get information about the PDF document and the label and protection applied