PDF Messenger

Using S/MIME or PGP requires both the sender and the recipient to have a valid certificate or key. While installing a certificate and private key can be straightforward—especially with a gateway that includes its own certificate authority—many recipients still find obtaining a certificate and configuring their mail client too complex.

PDF encryption provides a simpler alternative. The entire email, including all attachments, is converted into a password-protected PDF and sent to the recipient. The recipient opens the message with any standard PDF reader and unlocks it using the provided password. This approach delivers secure email without requiring the recipient to install certificates or change their email client.

PDF encryption

features

  • The PDF is encrypted with AES128.

  • Attachments are embedded within the encrypted PDF.

  • The recipient can reply by clicking the reply button.

  • Full Unicode support.

  • The original email can be attached (as .eml file) Pro/Ent only

  • HTML email is supported including embedded images Pro/Ent only

  • PDF template is fully configurable Pro/Ent only

Recipients receive a standardized email with the encrypted PDF attached. The content and appearance of this email—such as the subject, body text, instructions, and any help links—are controlled by a configurable template that your administrator can customize to match your organization’s branding and language.

Example PDF OTP encrypted email from Gmail inbox:

Encrypted email

The PDF includes the full content of the original email along with all attachments. Open the PDF in your preferred reader to view the message; attachments are available from the attachments or paperclip panel within most PDF viewers.

Example Encrypted PDF after decryption:

Encrypted PDF

Password modes

PDF Messenger secures a message by converting it (and its attachments) into a password-protected PDF that the recipient can open with any standard PDF reader. The password can be a fixed value you define in advance or a password that is generated automatically for each message or recipient, depending on your organization’s policy. Generated passwords are typically delivered to the recipient through a separate channel (for example, an SMS), while fixed passwords are shared ahead of time.

The following password modes are supported:

  • Use a pre-defined static password.

  • Randomly generate a password. The password will be sent back to the sender of the message.

  • Randomly generate a password. The password will then be sent by SMS Text to the recipient.

  • Generate a one time password (OTP).

  • Sender specified password.

Static password mode

In static password mode, each encrypted PDF is protected with a fixed, pre-set password. An administrator can assign a unique password to an individual recipient or apply a shared password to all recipients within a specific domain.

Send Generated Password Back to Sender

If you enable Generate password to originator, the system will create a secure password and send it to the email’s sender. The sender is then responsible for sharing the password with the recipients using a secure method.

Send password by SMS Text

In Send password by SMS Text mode, a unique password for the PDF is generated and sent to the recipient by SMS. For this to work, the SMS gateway must be correctly configured, a user account must exist for the recipient’s email address, and the recipient’s mobile number must be saved in that user’s settings. Alternatively, if your system allows adding a phone number to the email subject, the mobile number can be taken from the subject line.

One time password (OTP)

When enabled, the PDF will be protected with a password generated by a one-time password (OTP) algorithm. The recipient can retrieve this password by signing in to the portal or by using the PDF Authenticator app. Using OTP mode requires that the portal is properly configured.

Sender specified password

Subject Password Trigger allows you to set a password directly in the email subject line. The system extracts this password and uses it to apply PDF encryption to the email content. To protect your information, an administrator can enforce a password policy that requires strong passwords. If the password in the subject line does not meet the policy, the email will not be sent and you will receive a notification with instructions to choose a stronger password.

Portal

The CipherMail Gateway includes a secure web portal that recipients use to interact with encrypted PDFs. This portal serves two purposes: it lets recipients send a secure reply to an encrypted PDF, and it provides a secure way to obtain the one-time password (OTP) needed to open a PDF when OTP mode is used. Before recipients can reply from a PDF or retrieve OTP passwords, an administrator must configure the portal. Until the portal is set up, the reply button in the PDF will not work and recipients will not be able to obtain OTP passwords.

After configuration:

  • Recipients can click the Reply button in the PDF to open the portal, compose a response, and send it securely back to the sender.

  • In OTP mode, recipients can follow the link in the notification email to the portal, complete any required verification, and retrieve the password needed to open the encrypted PDF.

Configure PDF encryption

This section explains how to set up PDF encryption using one of the supported password protection modes.

PDF encryption is enabled only when all of the following requirements are met:

  • “PDF Enabled” is set for the sender and recipient Settings ‣ PDF ‣ PDF Encryption Enabled.

  • Encrytion is enabled. For example because encrypt mode is set to Allow or Mandatory or encryption is triggered.

Static password mode

This section describes how to set up PDF encryption using static passwords. To enable static password mode, follow these steps:

  • Set a static PDF password

  • Edit PDF encryption template

Set a static PDF password

Create a new user for the external recipient Users ‣ Actions ‣ Add User). After creating the user, set a password for the account.

Edit PDF encryption template

An encrypted PDF is attached to a new email that uses the Encrypted PDF template. You can edit this template by going to Setting ‣ Templates ‣ Encrypted PDF Mail Template Static Password Mode.

Send Generated Password Back to Sender mode

When Send Generated Password Back to Sender mode is enabled, the system automatically generates a PDF password and returns it to the original sender. To enable Generate password to originator mode, follow these steps:

  • Enable “Send Generated Password Back to Sender”

  • Set password generated length

  • Edit PDF encryption template

Enable Send Generated Password Back to Sender

In Global Settings, turn on the PDF option “Send Generated Password Back to Sender” Settings ‣ PDF ‣ Send Generated Password Back to Sender.

Hint

Generated passwords are emailed to the person who initiated the request. To customize this email, edit the “Password notification template” Settings ‣ Templates ‣ Passwords Notification Template

Set password Generated length

By default, passwords are generated with a length of 16 bytes (128 bits). You can change this in the Advanced settings by adjusting the Generated length option.

Caution

Use a long password to make it significantly harder for attackers to guess it using automated attempts.

Edit PDF encryption template

An encrypted PDF is attached to a new email that uses the Encrypted PDF template. You can edit this template on the Templates page under Setting ‣ Templates ‣ Encrypted PDF Mail Template Static Password Mode.

Send Password by SMS mode

With the “Send password by SMS” mode, the system automatically creates a password for the PDF and sends it by text message to the recipient’s registered phone number. This option requires that the SMS gateway is correctly configured.

To enable SMS mode, the following steps are required:

  • Allow sending SMS

  • Allow receiving SMS

  • Set recipients mobile number

  • Set password generated length

  • Edit PDF encryption template

Allow sending SMS

By default, senders cannot send SMS text messages. To enable SMS, select Send SMS for the sender Settings ‣ SMS ‣ SMS Send Enabled

Set recipients phone number

The system sends the generated password to the recipient by SMS. To enable this, make sure the recipient has a user account and that their SMS phone number is entered Settings ‣ SMS ‣ Settings ‣ SMS Phone Number. The phone number must be in international format, starting with the country code (for example, +44…).

Note

You can include the recipient’s phone number in the email subject line instead of entering it in the mobile number field. See Settings ‣ SMS ‣ Settings ‣ SMS Phone Number Set Enabled

Set password Generated length

By default, passwords are generated with a length of 16 bytes (128 bits). You can change this in the Advanced settings by adjusting the Generated length option.

Caution

Use a long password to make it significantly harder for attackers to guess it using automated attempts.

Edit PDF encryption template

An encrypted PDF is attached to a new email that uses the Encrypted PDF template. You can edit this template on the Templates page under Setting ‣ Templates ‣ Encrypted PDF Mail Template SMS Password Mode.

One Time Password (OTP)

One-Time Password (OTP) mode generates a unique password for each PDF using an industry-standard OTP algorithm. Each password is calculated from two pieces of information: the recipient’s Client Secret (a secret key known only to you and the intended recipient) and the email’s Password ID (a unique identifier assigned to each email/PDF). Because the Password ID is different for every email, the resulting password is different for every PDF, even when sent to the same recipient. This approach improves security by ensuring that passwords are not reused and do not need to be manually created or shared in advance.

Recipients can generate the PDF password using their Client Secret and the Password ID. They have two options: sign in to the portal to generate the password, or use the CipherMail Authenticator app (iOS and Android). For instructions on configuring the portal, see the portal section.

To enable OTP mode, the following steps are required:

  • Enable OTP

  • Enable Portal Auto Signup

  • Set password generated length

  • Edit PDF encryption template

Enable OTP

By default, OTP is not enabled. To enable OTP mode, select “OTP Enabled” Settings ‣ PDF ‣ OTP Enabled

Enable Portal Auto Signup

To generate the one-time password (OTP) for a protected PDF, the recipient must sign in to the portal using a portal password. If the Auto invite option is enabled (Settings –> PDF –> Portal Auto Signup) and the recipient does not yet have a portal password, the email will include an invitation link. After clicking the link, the recipient can create a portal password for their account. Alternatively, a gateway administrator can set the portal password on the recipient’s behalf.

Set password Generated length

By default, passwords are generated with a length of 16 bytes (128 bits). You can change this in the Advanced settings by adjusting the Generated length option.

Caution

Use a long password to make it significantly harder for attackers to guess it using automated attempts.

Edit PDF encryption template

An encrypted PDF is attached to a new email that uses the Encrypted PDF template. You can edit this template on the Templates page under Setting ‣ Templates ‣ Encrypted PDF Mail Template OTP Password Mode.

Configure PDF reply

With the PDF Reply feature, recipients outside your organization can respond to an email sent as an encrypted PDF. The PDF includes a Reply link; when clicked, it opens a secure page on the CipherMail portal where the recipient can compose and send a response. To use this feature, the CipherMail portal must be configured and accessible to external recipients.

Use the following settings to configure and control the PDF reply feature.

Enable PDF reply

By default, PDF Reply is not enabled. To enable, select “Reply Enabled” Settings ‣ PDF ‣ Reply Enabled