Skip to main content

PDF Password Protect

Add AES-256 password protection to PDF files via qpdf. Files auto-deleted after 15 minutes.

Reviewed by · Last reviewed

How to Password Protect a PDF

  1. Drop a PDF onto the upload zone or click to browse. Up to 200 MB.
  2. Type a password and confirm it. The same string becomes the user password (to open the document) and the owner password (full edit rights), so no second credential is hidden behind the scenes.
  3. Click "Protect PDF". The file is uploaded over HTTPS to our EU servers, encrypted with qpdf --encrypt user owner 256 -- input.pdf output.pdf, and the AES-256 result is offered back as a signed, time-limited download.
  4. Test the output in Acrobat, Preview, or your browser. You should be prompted for the password before the document opens. Save the password in a manager before closing the tab.

What PDF Password Protection Really Is

A password on a PDF is not a ZIP-style archive password. The file is still a valid PDF; what changes is that content streams, /Info metadata, and embedded fonts are encrypted with a symmetric cipher keyed off your password, and the trailer gains an /Encrypt dictionary describing how to derive that key. PDF 2.0 (ISO 32000-2, 2020) uses AES-256 in CBC mode with a 256-bit key derived through a fixed ladder plus a 16-byte per-file salt. Older PDF 1.7 files (ISO 32000-1, 2008) use AES-128 or legacy RC4 ciphers that should not be used for new documents.

PDFs can carry two passwords: the user password opens the document, and the owner password unlocks permission flags that control printing, copying, form filling, and annotation. Those flags live in the /P entry of the encrypt dictionary. This tool sets both passwords to the same value, so you stay the owner of your own file.

Why a Server Tool, Not a Browser Build

Reliable PDF AES-256 encryption requires the standard security handler at revision 6, including the SHA-256 ladder used to derive the content-encryption key. Browser-side WebAssembly builds of qpdf exist but ship hundreds of kilobytes of code, run a fraction of native speed, and break on iOS Safari memory limits for documents above ~50 MB. Routing the file to our EU server runs the canonical native qpdf binary, finishes in under a second for typical contracts, and supports documents up to 200 MB without choking the tab. The trade-off is that your file is briefly visible to our infrastructure; we do not log content, and the input plus the encrypted output are auto-deleted after 15 minutes.

When to Reach for Encryption

  • Sending a signed contract or offer letter by email to a client whose inbox you do not manage.
  • Archiving employee records or medical intake forms where HIPAA or similar frameworks require an encryption control on data at rest or in transit.
  • Sharing a confidential board deck through Dropbox or Google Drive as a second layer on top of link permissions.
  • Meeting a customer security questionnaire that asks whether outgoing documents are encrypted before being handed to a third party.
  • Uploading financial statements to a vendor portal that logs downloads but does not guarantee per-recipient access control.
  • Adding a light deterrent to invoices, tax returns, or expense reports that might get forwarded further than you intended.

Pitfalls and Edge Cases

PDF encryption is not a cure-all. Passwords shorter than about twelve characters can be brute-forced offline because the PDF key-derivation ladder is not as expensive as PBKDF2 with 600,000 iterations. A document signed before encryption will still validate, but some viewers warn that the signature covers only part of the updated file. Permission flags are advisory; some readers ignore the "no printing" bit. Already-encrypted uploads are not supported - decrypt with the PDF unlocker first. If you lose the password there is no recovery path; back it up at creation time.

Local Alternatives

For batches of dozens of files or for documents you do not want to upload at all, run qpdf locally: qpdf --encrypt user owner 256 -- input.pdf output.pdf (Homebrew, Debian, Fedora, Chocolatey). Ghostscript can do the same via its -sOwnerPassword and -sUserPassword switches. macOS Preview writes AES-128 through File -> Export with the Encrypt checkbox, and LibreOffice Draw offers the same in its PDF export dialog. CLIs win on throughput and on never having to upload; this tool wins on zero install.

Frequently Asked Questions

Where is the encryption performed?

On our EU servers using the canonical native qpdf binary. The file is uploaded over HTTPS, encrypted with AES-256 (PDF 2.0 standard security handler revision 6), and the result is offered as a signed, time-limited download. Both the input and the encrypted output are auto-deleted after 15 minutes. We do not log file content.

What is the difference between a user password and an owner password?

The user password is required to open and read the document at all; without it the reader sees a lock screen. The owner password unlocks the permission bits that restrict printing, copying, annotating, and form filling once the file is already open. This tool sets both to the same string so you are always the owner of the file you produce and no hidden second credential is needed for full access.

Which AES strength is used?

AES-256 in CBC mode, the PDF 2.0 standard security handler revision 6, including a 16-byte salt and the SHA-256 key-derivation ladder. RC4 and AES-128 are legacy options the spec still allows but we never select; AES-256 is the right default for any new document and is supported by every modern reader.

Can I use this on a PDF that is already encrypted?

No. qpdf will not re-encrypt an already-encrypted document without first having the credential. Decrypt the original with the PDF unlocker tool, then run the protector on the plaintext copy if you want to change the password.

How strong a password do I actually need?

Aim for at least fourteen characters from a random set or a four-word passphrase from a large wordlist. The PDF key-derivation function is weaker than modern web-grade KDFs, so passwords that would be fine for a password-manager vault can still be cracked overnight on a GPU rig if they are short or dictionary-based. A password-manager-generated string of twenty characters is more than adequate for any realistic threat model.

Does encryption break PDF/A compliance?

Yes. PDF/A-1, -2, -3, and -4 all forbid encryption because archival documents must be openable without any external credential decades from now. If you are producing a file for a records retention policy that requires PDF/A, apply encryption at the storage layer (an encrypted disk, an encrypted ZIP container, or a secure document vault) rather than inside the PDF itself.

What happens to digital signatures when I add a password?

A signature applied before encryption will still validate in most readers, but some viewers will surface a warning that the file has been modified after signing because the encryption added a new revision to the PDF. Best practice is to finalize signatures first, then encrypt a clean copy of the signed file so the signature covers the fully encrypted bytes in a single revision.

Can this tool restrict printing or copying instead of adding a password?

Not in the current build. Adding a password here uses the same credential for both user and owner roles, so the produced document still allows printing and copying once open. To restrict permissions, run qpdf locally with separate user and owner passwords plus flags like --print=none or --modify=none.

How long do you keep the file?

Maximum 15 minutes from upload. The original upload, the encrypted output, and the signed download URL all stop working after that. There is no opt-in retention; the cleanup runs every 5 minutes on a tight cron.

Is the password sent to the server in the clear?

It travels inside an HTTPS request body, so it is encrypted in transit. On the server it is held in process memory only for the duration of the qpdf call, never written to disk or to logs, and discarded as soon as the encrypted PDF is produced. Use a strong password regardless - the threat model includes attackers who later get the encrypted PDF, not us.

Learn more

More PDF Tools

Image to PDF

Combine multiple JPG and PNG images into a single PDF document.

Open tool

PDF Compressor

Compress PDFs with Ghostscript image downsampling. Pick a quality preset. Files auto-deleted after 15 minutes.

Open tool

PDF Merge (Server-Side)

Merge up to 20 PDFs into a single document on our EU servers using qpdf. Files auto-deleted after 15 minutes. Handles large or password-cleared inputs the in-browser merger cannot.

Open tool

PDF Merger

Merge multiple PDF files into a single document with drag-and-drop reordering.

Open tool

PDF Page Reorder

Rearrange pages in a PDF document with a visual drag-and-drop interface.

Open tool

PDF Rotate (Server-Side)

Rotate every page of a PDF, or just a selected range, by 90, 180, or 270 degrees on our EU servers. qpdf-based, metadata preserved. Auto-deleted after 15 minutes.

Open tool