All tests run on an 8-year-old MacBook Air.
All results from shipping 7 Mac apps as a solo developer. No sponsored opinion.
Real PDF redaction is harder than it looks. The naive approach — draw a black rectangle over text — doesn't actually remove the text from the file.
Here's what proper redaction requires.
The problem with naive redaction
A PDF with a black rectangle drawn over sensitive text still contains that text in the file structure. Anyone with a PDF editor can remove the rectangle and read the original content.
This has caused real security incidents. Legal documents, medical records, government reports — all leaked because someone drew a box over text and called it redacted.
What actual redaction requires
Identify the content to redact (text, images, or regions)
Remove the actual content from the PDF's content streams
Replace with a filled rectangle
Remove any references in the document structure
Rebuild the PDF without the redacted content in the object stream
Step 2 is where naive implementations fail. Removing visible rendering is not the same as removing the data.
The lopdf approach
With lopdf, you're working directly with PDF objects. Redaction means modifying content streams:
rustfn redact_text_in_stream(content: &[u8], target: &str) -> Vec {
// Parse PDF content stream operations
// Find text rendering operations containing target
// Replace text content with spaces or remove operations
// Rebuild content stream
// This is genuinely complex — PDF content streams
// interleave text positioning and rendering commands
todo!("non-trivial implementation")
}
PDF content streams aren't plain text. They're a sequence of operators and operands. Text appears across multiple operators: font selection, positioning, encoding, rendering. A complete redaction implementation needs to parse all of these.
What I ship in PDF Vault
Hiyoko PDF Vault implements region-based redaction: the user selects a region, we remove all content operations that render within that region, then fill with a solid rectangle.
It's not forensic-grade redaction. It removes content from the file structure rather than just drawing over it. For the use case — personal documents, not classified government files — it's appropriate.
For truly sensitive documents requiring certified redaction, professional tools with documented audit trails are the right choice. I'm honest about this in the app description.
The verdict
True PDF redaction is a solved problem in professional tools. In a Rust implementation, it's achievable but requires careful PDF content stream parsing. The naive approach (draw a rectangle) should never be called redaction.
Know what level of redaction your users actually need before deciding how to implement it.
If this was useful, a ❤️ helps more than you'd think — thanks!
Hiyoko PDF Vault → https://hiyokoko.gumroad.com/l/HiyokoPDFVault
X → @hiyoyok