How to Encrypt and Password-Protect PDF Files

← Back to Blog

Two Types of PDF Password

Adobe Acrobat supports two distinct password types for PDF security, and understanding the difference between them is essential before applying protection to a document.

Document Open Password (also called a User Password): This password must be entered before the PDF can be opened at all. Without it, a viewer cannot read the document. This is the appropriate protection when you need to restrict who can access the content — for example, when distributing a confidential report to a limited audience.

Permissions Password (also called an Owner Password or Master Password): This password controls what an authorised viewer can do with the document after opening it. It governs actions such as printing, copying text, editing, and form completion. A document protected with only a Permissions Password can be opened without any password, but the restricted operations are prevented in conforming PDF viewers. The Permissions Password is required to change or remove those restrictions.

You can apply either password independently, or both together. If both are set, the Document Open Password must be entered to view the file, and the Permissions Password is required to change the security settings.

Encryption Algorithms

PDF encryption strength is determined by the encryption algorithm selected when security is applied:

• RC4 40-bit (Acrobat 3 and later compatibility): Legacy encryption, now considered cryptographically weak. Should not be used for documents requiring genuine security.
• RC4 128-bit (Acrobat 5 and later compatibility): Stronger than 40-bit RC4 but RC4 itself is a deprecated cipher. Acceptable only for legacy compatibility requirements.
• AES 128-bit (Acrobat 7 and later compatibility): AES (Advanced Encryption Standard) is the current standard cipher. 128-bit AES provides strong security for most practical purposes.
• AES 256-bit (Acrobat X and later compatibility): The strongest available option in Acrobat. Required for high-security applications and recommended for all new documents where compatibility with older versions of Acrobat is not a constraint.

For new documents, always choose AES 256-bit unless recipients are known to be using Acrobat 9 or older.

Setting Passwords in Adobe Acrobat

1. Open the PDF in Adobe Acrobat Pro.
2. Go to File > Properties and click the Security tab, or go to Tools > Protect > Protect Using Password.
3. In the Document Properties > Security tab, select Password Security from the Security Method dropdown and click Change Settings.
4. In the Password Security Settings dialog, choose your compatibility level (which determines the encryption algorithm).
5. To require a password to open the document, tick Require a password to open the document and enter the Document Open Password.
6. To restrict permissions, tick Restrict editing and printing of the document and enter the Permissions Password. Then configure the individual permission flags (see below).
7. Click OK, confirm each password when prompted, and save the document. The security settings take effect after saving.

Permission Flags

When applying a Permissions Password, you can configure the following restrictions:

• Printing: Allow no printing, low-resolution printing only, or full high-resolution printing.
• Changes: Prevent all editing; allow only form filling and signing; allow commenting and form filling; or allow all editing except page extraction.
• Content copying: Prevent text and image content from being copied to the clipboard.
• Accessibility: A separate flag allows screen readers and accessibility tools to access the content even when copying is otherwise restricted.

Note that permission flags are honoured by conforming viewers such as Adobe Acrobat Reader, but are not enforced by all third-party PDF tools. Permission restrictions are a deterrent for casual misuse; they are not a technical barrier against determined extraction using non-conforming software.

Certificate-Based Security

As an alternative to password protection, Acrobat supports certificate-based security, where encryption keys are tied to digital certificates rather than shared passwords. This approach is more secure in multi-recipient workflows — each authorised recipient uses their own private key to decrypt the document, eliminating the need to share a common password. Certificate security requires each recipient to have a digital certificate available to Acrobat and is more appropriate in enterprise environments with existing PKI (Public Key Infrastructure) infrastructure.

Removing Password Protection

If you hold the Permissions Password for a protected document, you can remove security via File > Properties > Security, change the Security Method to No Security, enter the Permissions Password when prompted, and save the file. The Document Open Password, if set, can also be removed this way once you have authenticated.

Without the correct password, removing PDF security through legitimate means is not possible. Third-party password recovery tools exist but are outside the scope of normal document workflows.

Limitations: What PDF Encryption Cannot Prevent

PDF encryption protects the file contents while the file is at rest and in transit. It does not prevent a person who has legitimately opened the document from taking a screenshot of the screen, photographing the screen, or manually transcribing the content. For truly sensitive material, PDF encryption is one layer of a broader security approach — not a complete solution in isolation.

Programmatic Password Protection

PDF encryption can be applied programmatically using server-side PDF libraries such as iText (Java/.NET), PDFBox (Java), or Aspose.PDF. This is the standard approach for workflows where PDFs must be encrypted at the point of generation — for example, automatically encrypting invoice PDFs before emailing them, or securing generated reports in a document management system. Mapsoft can assist with designing and building such workflows as part of a custom PDF development engagement.