Docento.app Logo
Docento.app
All Posts

PDF Encryption Explained: AES, Passwords, and Permissions

April 9, 2026·6 min read

PDF encryption is one of those features everyone uses occasionally but few understand well. The result is files that feel secure but aren't, or files that are far more locked down than the user intended. Knowing the actual mechanics — what's protected, what isn't, and which choices matter — turns "I added a password" into "I made a deliberate security decision."

Two different things people call "PDF encryption"

  • Document open password: the file is genuinely encrypted. You can't read the content without the password. This provides real protection.
  • Permissions password (also called "owner password"): the file isn't encrypted in any meaningful way — it's just marked as having restrictions on printing, copying, or editing. Any tool can ignore the restrictions.

These two are sometimes combined: a file may have both. The first protects the content; the second adjusts what users can do with the content once they've opened it.

When someone says "I password-protected my PDF," they often mean the permissions password — which provides almost no real security.

How real PDF encryption works

PDFs use AES (Advanced Encryption Standard), the same algorithm that protects banking and most encrypted communications. Modern PDFs use AES-256, the strongest variant.

The mechanics:

  • The user supplies a password.
  • The PDF derives an encryption key from the password using a key-derivation function.
  • The content streams (text, images, fonts) are encrypted with AES using that key.
  • The metadata can be encrypted or left in plaintext, depending on the setting.

When you open the file, the reader asks for the password, derives the same key, and decrypts. With a strong password, this is effectively unbreakable.

What encryption does and doesn't protect

A correctly encrypted PDF:

  • Hides content from anyone without the password.
  • Protects against casual interception (email, file servers).
  • Can be sent through untrusted channels.

It does not:

  • Prevent screenshots or photographs of the content.
  • Stop a recipient from re-saving the file unencrypted after opening.
  • Survive printing — the printed copy is plaintext.
  • Resist a determined attacker with a weak password.

For protection beyond opening, you need DRM systems (which are heavier and less interoperable) or rights management services. For most uses, encryption is plenty.

How permissions passwords pretend to work

A permissions password sets flags in the PDF:

  • "Don't allow printing."
  • "Don't allow copying text."
  • "Don't allow form filling."
  • "Don't allow editing."

These flags are requests. Compliant tools (Adobe Acrobat, Apple Preview) honour them. Non-compliant tools — and there are many — ignore them entirely. With most open-source tools you can strip the permissions in seconds. So permissions passwords stop your colleague from accidentally printing, but won't stop anyone with intent.

If you need real protection, encrypt the document with an open password. If you only need a polite "please don't" message, a permissions password is fine.

Choosing a password

Encryption strength is meaningless if the password is weak. Practical guidance:

  • Length matters more than complexity. A long passphrase like correct-horse-battery-staple-2026 is much stronger than P@ssw0rd!.
  • Don't reuse passwords across documents — if one document leaks, others remain safe.
  • Don't email the password in the same message as the PDF. Use a separate channel.
  • Use a password manager for generation and storage.
  • For shared documents, prefer key management over passwords. Tools that integrate with your identity provider authenticate based on user identity, not a shared secret.

Adding encryption

Three common ways:

  • Browser tool: Docento.app lets you set both open and permissions passwords in the browser without uploading the file.
  • Command line: qpdf --encrypt user-pwd owner-pwd 256 -- input.pdf output.pdf for AES-256.
  • From the source: Word, Pages, Google Docs all let you set a password during PDF export.

For a more practical walkthrough, see how to password-protect a PDF.

Removing encryption (when allowed)

If you have the password, removing encryption is trivial:

  • Open the file, enter the password, save without encryption.
  • qpdf --decrypt --password=PWD input.pdf output.pdf.
  • Most browser tools have a "remove password" option.

If you don't have the password, you can't decrypt the file. Tools that claim to "recover" PDF passwords either guess weak passwords by brute force (often successful for old, weak PDFs) or remove only the permissions password — not the open password. Strong passwords cannot be recovered. See how to remove a password from a PDF for the legitimate cases.

PDF encryption versions

PDF encryption has evolved:

  • 40-bit RC4 (PDF 1.3 and earlier) — broken decades ago. Don't use.
  • 128-bit RC4 (PDF 1.4+) — broken. Don't use.
  • 128-bit AES (PDF 1.6) — fine for most uses but superseded.
  • 256-bit AES (PDF 1.7) — current standard, what every modern tool uses.

If you're encrypting PDFs in 2026, choose AES-256. Older versions are still readable by old tools but offer much weaker security.

Encryption and metadata

By default, modern PDF encryption encrypts the content streams but leaves the metadata (title, author, creation date) unencrypted. This is intentional — it lets search engines and document management systems index encrypted PDFs without decrypting them.

For maximum privacy, configure encryption to include metadata, or strip metadata before encryption.

Encryption and digital signatures

Encryption and signatures coexist but are independent:

  • Encryption hides content.
  • Signatures prove authorship and integrity.

A signed PDF can be encrypted; an encrypted PDF can be signed. The order matters — encrypting after signing usually preserves the signature; signing after encrypting may not. Test in your specific workflow.

For more on signatures, see signing a PDF online and digital signatures vs electronic signatures.

Encryption and email

Many email systems strip attachment passwords, treat encrypted PDFs as suspicious, or refuse to deliver them. If you encrypt and email PDFs frequently:

  • Test with each major recipient platform first.
  • Consider sharing via secure file transfer instead of email.
  • If you must email, send the password through a separate channel — text message, separate email account, password manager link.

Conclusion

PDF encryption with AES-256 and a strong password is genuinely secure. Permissions passwords are a polite request, not real protection. Pick the right one for your need, choose a strong password, send it separately. Docento.app handles browser-based encryption without uploads, useful when the source document is sensitive enough that even your encryption tool shouldn't see it in the clear.

Related Posts

ZIP vs 7z for Document Archives: Speed, Size, and Compatibility

May 10, 2026

EPUB vs MOBI: Which eBook Format Should You Use?

May 9, 2026

Markdown vs Rich Text: When to Use Each

May 9, 2026