pdfprivately
Back to Blog
Guide

Understanding PDF Security: Passwords, Encryption, and Permissions

Understand PDF passwords, AES-256 encryption, and document permissions. Learn how to protect sensitive documents with client-side encryption that keeps your password private.

pdfprivately TeamJuly 3, 20266 min read
PDF securityPDF encryptionpassword protect PDFPDF permissionsAES-256

The Two Types of PDF Passwords

PDF security distinguishes between two independent passwords with very different purposes:

User password (open password): This is what most people think of as a "PDF password." It controls who can open and view the document. Without this password, the file cannot be opened at all. The content remains encrypted and unreadable until the correct password is supplied. This is real security.

Owner password (permissions password): This controls what someone can do with the document after opening it — printing, copying text, editing, adding annotations, and filling forms. Here is the critical detail: most PDF readers do not actually enforce owner permissions. Adobe Acrobat does, but many third-party readers ignore them entirely. The owner password is a cooperative restriction, not a security boundary.

For genuine protection, always set a user password. The owner password is useful as a secondary signal for compliant readers, but it should never be your only line of defense.

AES-256 Encryption in Detail

Modern PDF encryption uses AES (Advanced Encryption Standard) with 256-bit keys — the same encryption standard used by governments and financial institutions worldwide. AES-256 is considered computationally infeasible to brute-force with any technology available today.

Here is how it works: when you set a password, the PDF library derives a 256-bit encryption key from your password using a key derivation function (KDF). This key encrypts every object in the PDF — text streams, image data, fonts, and metadata — using AES in Cipher Block Chaining (CBC) mode. Without the correct password, the encryption key cannot be derived, and the document content remains ciphertext — completely unreadable.

PDF 2.0 introduced AES-256 encryption, replacing the older RC4 algorithm that was standard in PDF 1.x documents. RC4 is now considered cryptographically broken and should not be used for new documents. When protecting a PDF, choose AES-256 whenever possible. Some older PDF viewers may not support it, but the security upgrade justifies the compatibility trade-off.

What Permissions Actually Do

The PDF specification defines several permission flags that can be set in the encryption dictionary:

  • Printing: Restrict whether the document can be printed at all, or only at low resolution. Low-resolution printing (150 DPI) prevents high-quality reproductions while still allowing basic proofing.
  • Content copying: Control whether text and images can be selected and copied to the clipboard. This prevents casual extraction but can be bypassed by determined users.
  • Modification: Restrict editing of the document's content, including adding, deleting, or modifying text and images.
  • Annotation: Control whether comments, stamps, and markup can be added to the document.
  • Form filling: Allow or block filling of interactive form fields. Useful when you want recipients to complete fields but not alter the document structure.
  • Accessibility: Allow screen readers to extract text for assistive technologies. Enabling this is good practice and does not weaken other restrictions.

A critical detail: these permissions are advisory, not enforced by the encryption itself. A technically proficient user can bypass them using tools that ignore the permission flags. For content you truly need to protect, rely on the user password.

When to Use Each Security Level

No password — Appropriate for public documents like eBooks, whitepapers, marketing materials, and forms that anyone should freely open and edit.

User password only — For confidential documents: contracts, financial statements, legal briefs, tax returns, and personal records. This is your primary security mechanism and should be your default for anything sensitive.

Owner password only — Rarely useful on its own. Without a user password, anyone can open the document, and most readers ignore the restrictions. Only meaningful in controlled environments where everyone uses compliant software.

Both passwords — When you want both access control (user password) and modification restrictions (owner password). Useful for distributing documents to known parties where you need both layers.

Client-Side Encryption Means Your Password Stays Private

When you protect a PDF on pdfprivately, the encryption happens entirely in your browser. Your password is used to derive the encryption key locally — it is never transmitted over a network, never stored on a server, and never written to a log file.

This is a fundamental security property of client-side encryption. The only way your document can be decrypted is by entering the password on the device where you open the PDF. Your password exists only in the interaction between you and the PDF file. No remote server ever sees it.

Step-by-Step: Protect a PDF with pdfprivately

1. Open the Protect PDF tool.

2. Drop your PDF onto the page — it is read into your browser's memory.

3. Set a user password for access control and optionally an owner password for permission restrictions.

4. Choose which permissions to restrict: printing, copying, editing, and annotations.

5. Click "Protect." Your browser encrypts the PDF using AES-256. The entire operation runs locally.

6. Download your secured PDF. The encryption processed on your device — your password never left your computer.

Try These pdfprivately Tools

Stay Updated

Get the latest PDF tips, privacy guides, and tool updates. No spam, no tracking — just useful content delivered to your inbox.

We respect your privacy. Unsubscribe anytime. No tracking, no analytics.