As Microsoft’s Information Protection ecosystem expands, you’ve given us feedback to expand our support for more standard file types outside of Office document formats for labeling and protection scenarios. Today we’re announcing support for the ISO specification for PDF v1.7 for encryption needs. By conforming to the ISO specification, we now support a more robust native integration with PDF documents.
PDF documents have always had an encryption standard since the initial specification of PDF documents. In 2008 ISO released a PDF document specification called PDF v1.7, which included several optimizations of the PDF document format. The PDF v1.7 specification focused on the following optimizations:
PDF v1.7 was a significant overhaul of the PDF document standard. Contained within the standard PDF encryption standards were new specifications on how to implement rights management and support for encryption algorithms. This section of the PDF v1.7 specification is referred to as PDF IRM v2.
The PDF IRM v2 specification covers encryption support in two key contexts:
Note: Password Protected encrypted documents cannot be re-encrypted with rights management functions
The focus of this blog is the general protection for rights management. This is technology agnostic; the specification provides guidelines for security vendors who wish to encrypt content for rights management and how to correctly encrypt PDF documents.
Some of the main features of this PDF IRM v2 specification include:
With these benefits, customers can have a similar experience as they have with Office applications from a document protection context.
The PDF IRM v2 specification covers encryption capabilities and does not call out labeling standards. But PDF documents can be classified and labeled, and the label meta-data gets embedded within the PDF document, whether it’s encrypted or not. The additional benefit of conforming to the encryption standard is that the label meta-data is not encrypted even when the actual content payload is encrypted. This allows for solutions like Data Loss Prevention (DLP) to be able to read the label classification and not have the need to decrypt the content. We’ve added controls to protect against label tampering by embedding the LabelID within the document Publishing License. The benefit of this is that when a document’s label properties change to a malformed value, the original label information is still retained.
Given the capabilities of the new standard and the fidelity of the user experience, the older protected PDF format (*.PPDF) will be deprecated. We will have older PDF readers that will support the older format, but we will also provide migration tools to help customers migrate to the new PDF format.
Before starting the conversion process, administrators need to enable PDF IRM v2 support in the Azure Information Protection administration portal - follow the instructions provided here.
Now that you’ve enabled the default protection to be PDF IRMv2, now let’s look at the client side. The Azure Information Protection client comes bundled with PowerShell cmdlets. We have augmented the existing labeling cmdlets to be PDF IRMv2 aware. To run these commands on all the files in a file share, we recommend that you create a PowerShell script that envelopes these commands.
The commands that enable labeling and protection for the new PDF format include:
Get-AIPFileStatus -Path \\Finance\Projectx\hello.ppdf
FileName : \\Finance\Projectx\hello.ppdf
IsLabeled : True
MainLabelId : 074e257c-1234-1234-1234-34a182080e71
MainLabelName : Confidential
SubLabelId : d9f23ae3-1234-1234-1234-f515f824c57b
SubLabelName : Finance group
LabelingSiteId : 72f988bf-1234-1234-1234-2d7cd011db47
Owner : John@Contoso.com
LabelingMethod : Manual
LabelDate : 12/12/2016 12:24:36 PM
IsRMSProtected : True
RMSTemplateId : e6ee2481-1234-1234-1234-f744eacd53b0
RMSTemplateName : Contoso - Confidential Finance
RMSIssuedTime : 5/6/2018 9:15:03 AM
RMSOwner : John@Contoso.com
RMSIssuer : John@Contoso.com
Set-AIPFileLabel \\Finance\Projectx\hello.ppdf -RemoveLabel
Set-AIPFileLabel \\Finance\Projectx\hello.pdf -LabelId d9f23ae3-1234-1234-1234-f515f824c57b
Recommendation: Execute the operation on a sample set of files before exercising the commands on a larger file share.
We are working with many product teams to enable this capability. The Microsoft Information Protection SDK fully supports PDF IRMv2 format and we make it really easy. Expect more details soon.
The supported readers for PDF documents will be provided early October and will continue to get updated as more vendors adopt the Microsoft Information Protection SDK.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.