PDF Encryption
PDF encryption enables secure delivery of confidential messages as password-protected PDFs — even to recipients without certificates, keys, or portal access.
PDF Encryption — Overview
PDF encryption is the fourth option for secure email communication in Conbool — alongside S/MIME, PGP, and the Message Portal. It is specifically designed for recipients who:
- Have no S/MIME certificates or PGP keys.
- Are not allowed to click links in emails (e.g., German government agencies following BSI baseline protection).
- Cannot or do not want to use portal access.
The message content is delivered as an AES-256 encrypted PDF. Attachments are embedded directly in the PDF. The recipient only needs a PDF reader and the agreed-upon password.
How Does PDF Encryption Work?
- Sender sends an email as usual via Outlook or any other email client.
- Conbool detects via routing rules (or a subject line command) that PDF encryption is enabled.
- Conbool checks the fallback chain: S/MIME → PGP → PDF Encryption → Message Portal. PDF applies when no certificate or key is available.
- The email content is rendered as a PDF, including sender, recipient, subject, date, and message text.
- Attachments are embedded in the PDF and accessible via the attachment function of the PDF reader.
- The PDF is encrypted with AES-256 (via qpdf) and attached to a notification email.
- The recipient opens the PDF with the agreed-upon password.
Two Modes
Mode A: Pre-shared (Fixed Password)
Ideal for fixed communication partners such as government agencies:
- The administrator sets a password in the routing rule.
- The password is shared with the recipient once by phone or letter.
- All emails to this recipient are automatically encrypted with the same password.
- No link click required — the recipient only needs their PDF password.
Mode B: Self-Service
Ideal for companies and external partners:
- On first delivery, the recipient receives an invitation to the Conbool portal.
- The recipient sets their own password there.
- From that point, all messages are automatically encrypted with their password.
- Pending messages are delivered after the password is set.
- The recipient can change their password at any time in the Self-Service area.
Security Features
Encryption
- AES-256 — the same algorithm used by banks and governments.
- Encryption is performed by qpdf, a proven open-source tool.
- The PDF is completely unreadable without the password — neither content nor attachments are accessible.
Attachments
- Original attachments are embedded directly in the encrypted PDF.
- The recipient finds them in the PDF reader under the paperclip icon (Attachments).
- Inline images (e.g., signature logos) are filtered out and not embedded.
- One document, one password — no separate ZIP files needed.
Password Management
| Aspect | Pre-shared | Self-Service |
|---|---|---|
| Password choice | Admin sets/generates | Recipient chooses |
| Delivery | Phone/letter | Via portal registration |
| Change | Admin in routing settings | Recipient in Self-Service |
| Forgotten | Admin shares again | Recipient resets in portal |
| Security | Same for all mails | Individual per recipient |
Fallback Chain
PDF encryption is part of the automatic fallback chain:
| Priority | Method | Condition |
|---|---|---|
| 1 | S/MIME | Recipient has an S/MIME certificate |
| 2 | PGP | Recipient has a PGP key |
| 3 | PDF Encryption | No certificate/key, PDF encryption enabled in route |
| 4 | Message Portal | Last fallback option |
The administrator can enable any number of methods per route. Conbool automatically selects the best available method.
Portal Compose Override
Internal senders can manually override the delivery method when composing a message in the portal:
- A dropdown appears in the compose area: "Via message portal" or "As encrypted PDF".
- When "As encrypted PDF" is selected, S/MIME and PGP are skipped.
- If the recipient has a Self-Service password, the PDF is encrypted immediately.
- If not, the message is queued and an invitation is sent.
Note: The override is only available for internal senders (sender domain = managed domain).
Reply Function
The reply option depends on the mode:
| Mode | Reply |
|---|---|
| Pre-shared | Recipient replies via normal email (TLS). This is industry standard — no provider offers encrypted replies without a link click. |
| Self-Service | Recipient has portal access and can reply encrypted via the Message Portal. |
Configuration
Prerequisites
- SecureMail module must be active.
- PDF encryption must be enabled in the portal settings.
Activation
- Navigate to Settings → Portal Settings.
- Enable the "Enable PDF password encryption" toggle.
- The PDF option now appears in routing and command configurations.
Creating a Routing Rule
- Navigate to SecureMail → Routing.
- Create a new route or edit an existing one.
- In the Protocol step, enable "PDF Password".
- In the configuration step, select the mode:
- Pre-shared: Enter a password or click "Generate".
- Self-Service: No further configuration needed.
- Save the route.
Subject Line Command
Alternatively, PDF encryption can be triggered via a subject line command:
- Navigate to SecureMail → Commands.
- Create a new command with the desired keyword.
- Enable "PDF Password" as the protocol.
- Configure the mode as with the routing rule.
Self-Service for Recipients
Recipients with Self-Service access manage their PDF password under Settings → PDF Password:
- Set password: On first visit (after accepting invitation).
- View password: See existing password (reveal button).
- Change password: Set a new password (old one not required).
- Password strength: Minimum 8 characters with 3 of 4 categories (uppercase, lowercase, digits, special characters).
Note: Already delivered PDFs keep their previous password. Only future messages will use the new password.
Queue
When a Self-Service recipient has not yet set a password:
- The message is stored in a secure queue (dedicated storage bucket).
- The recipient receives an invitation email for password registration.
- After setting the password, all pending messages are automatically delivered as PDFs.
- Queue entries expire after 30 days.
Comparison with Competitors
| Feature | Conbool | NoSpamProxy | SEPPmail |
|---|---|---|---|
| PDF Encryption | AES-256 (qpdf) | PDF Mail | GINA Technology |
| Attachments in PDF | Embedded | Embedded | HTML container |
| Self-Service | Portal registration | Web portal | GINA Self-Service |
| Pre-shared Password | ✅ (Conbool exclusive) | ❌ | ❌ |
| SMS Password | Planned | ✅ | ✅ |
| Portal Override | ✅ | Outlook Add-in | ❌ |
| Reply Function | Via portal (Self-Service) | Via web portal | Via GINA portal |