Using ImageMagick for PDF redaction

The modern mortgage includes many parties. Originators, appraisers, title companies, and real estate agents all need to understand various pieces of the puzzle in order to work together to produce and finalize a loan. This means that mortgage companies need to share documents such as a borrower’s Certification and Authorization (a document that certifies that the applicant has applied for a mortgage and authorizes some of the information to be shared with third parties), but need to do so without revealing unnecessary borrower PII (Personally Identifiable Information). PII is any data that can identify a specific individual, but some PII is more sensitive than other data, and we make sure that we release it to our partners on a strictly need-to-know basis. In our case, the Certification and Authorization form contains a social security number at the time of signing, which needs to be redacted prior to the document’s circulation to some partners.

Naturally, after doing this manually for some time we wanted to automate the process to improve efficiency. Although we could have had the borrower sign twice, we wanted to explore a maximally convenient approach. Unfortunately, tools like Adobe Acrobat don’t do a very good job of providing a mechanism for doing this (possibly by design), and many other tools simply add a shape over the area to be redacted without removing the text information. We needed a solution that would completely remove the text data.

Enter ImageMagick

Fortunately, we stumbled across a blog post with a partial solution. How (and why) I Redacted 488 PDFs Using Image Magick and Paint pointed to ImageMagick, a classic command-line tool for modifying images, as a convenient PDF rasterizer. A few more minutes of googling demonstrated that it was both possible and easy to use ImageMagick to draw boxes over parts of an image - even when only one page of a document needs to be modified - and convert the rasterized image to a PDF. Since these PDFs did not need to be text-selectable - and we generate the documents ourselves and use e-signing, meaning that the redaction area is in a predictable area - this was essentially the entire conversion process for us.

We found that the following basic gist was ideal for doing this:

magick \
  -density 300 \
  "cert-and-auth-combined-signed.pdf[0-1]" \
  -fill white \
  -draw "rectangle %[fx:(t==1?155:0)],%[fx:(t==1?1300:0)] %[fx:(t==1?500:0)],%[fx:(t==1?1350:0)]" \
  -compress ZIP \
  "result.pdf"

Let’s break down what we’re doing here.

magick

Call Imagemagick

-density 300

Set the working DPI to 300 pixels per inch

"cert-and-auth-combined-signed.pdf[0-1]"

Open pages 1-2 of our source file

-fill white
-draw "rectangle %[fx:(t==1?155:0)],%[fx:(t==1?1300:0)] %[fx:(t==1?500:0)],%[fx:(t==1?1350:0)]"

This gets a little more complex. We set the fill, and then use an FX expression to set coordinates based on a ternary based on whether we are on the second page, with all other pages getting an empty rectangle in the top left.

-compress ZIP

Use ZIP compression internally

"result.pdf"

Specify the output file

Pitfalls

Unfortunately, we found that when we sent the document via email, the second page of our signed document was appearing blank in previews, and couldn’t be opened in Adobe Acrobat. It turned out that the second page was being processed and encoded in grayscale while the first was in 16-bit sRGB, so we added a

Turning it into a microservice

Working from the command line is all fine and good, but to incorporate this into our loan processing flow, we needed to be able to queue up redactions from our mortgage workflow engine. We also wanted to isolate the process for performance and security reasons. At Better, we use ActiveMQ for queueing and an internal service for secure document storage, so the final flow consisted of the following:

Enqueue the conversion job from the mortgage engine, with a key to the encrypted signed borrower cert and authorization document.

1. Consume jobs from the queue in a Typescript-based microservice.
2. Download the signed document using the key in the job and a shared secret provided by local configuration.
3. Run Imagemagick on the document to redact the SSN using child_process.exec.
4. Upload the redacted document to our encrypted file store using a new document key and the same shared secret.
5. Enqueue a job in the mortgage engine to use the document to finalize the workflow activity that requested the redaction.
6. Finalize the workflow.

Conclusion

Although tools like ImageMagick are starting to age, they can still be invaluable for dealing with PDFs. If your requirements match ours, definitely give it a try!