DevToolKit

PDF Encrypt & Decrypt — AES-256 Password Protection

Add or remove AES-256 password protection on PDF files entirely in your browser. Set document permissions, choose encryption strength, and protect sensitive documents without uploading them.

pdf

Drop your PDF here to encrypt

Files are processed entirely in your browser — never uploaded
Processed locally
Was this tool helpful?

How to Use

Protect or unlock PDF documents in three steps:

  1. Choose your mode — Toggle between Encrypt and Decrypt at the top of the tool. Encrypt adds password protection and permission restrictions to an unprotected PDF. Decrypt removes them from a protected PDF when you provide the correct password.
  2. Upload your PDF and set passwords — Drag and drop the file or click the dropzone. For encryption, choose a strong document password and optionally set a separate owner password. Use the permission matrix to control which actions (printing, copying, editing) are allowed. For decryption, enter the password that was used to protect the file.
  3. Download the result — Click Encrypt or Decrypt. The tool processes the entire PDF in your browser using AES-256 encryption. Download the output file — an encrypted PDF that requires a password to open, or a decrypted PDF with all restrictions removed.

The entire process runs in your browser using the Web Crypto API for AES-256 operations. Your PDF and passwords are never uploaded to any server.

About This Tool

PDF encryption is defined in the PDF specification (ISO 32000) and has evolved through six major revisions. This tool implements revision 5, which uses AES-256 (Advanced Encryption Standard with 256-bit keys) — the strongest encryption available in the PDF format. AES-256 provides 2256 possible key combinations, making brute-force attacks computationally infeasible with current technology.

The encryption process generates a random 32-byte file encryption key, then derives password verification hashes and key-encryption keys using SHA-256. Each content stream and string in the PDF is encrypted individually with AES-256-CBC (Cipher Block Chaining mode), using a unique random initialization vector per object. This means identical plaintext in different locations produces different ciphertext, preventing pattern analysis attacks.

The PDF permission system controls eight distinct capabilities through bitwise flags stored in the encryption dictionary. The P value is a signed 32-bit integer where specific bits correspond to individual permissions: bit 3 for printing, bit 4 for modification, bit 5 for content extraction, bit 6 for annotations, bit 9 for form filling, bit 10 for accessibility, bit 11 for document assembly, and bit 12 for high-quality printing. Compliant viewers enforce these restrictions when the document is opened with the user password but grant full access when the owner password is provided.

The two-password architecture serves distinct security purposes. The user password (document password) encrypts the actual content — without it, the PDF is unreadable binary data. The owner password (permissions password) controls which actions are permitted when the document is opened. Setting only a user password means anyone who can open the document has full access. Setting both passwords allows distributing a restricted version while retaining administrative control through the owner password.

Previous PDF encryption revisions used weaker algorithms: revision 2 employed 40-bit RC4 (trivially breakable), revision 3 extended to 128-bit RC4, and revision 4 introduced AES-128. Revision 5 and 6 both use AES-256, with revision 6 (defined in ISO 32000-2:2020) adding an improved key derivation function. The revision 5 implementation in this tool is compatible with Adobe Acrobat X and later, as well as most modern PDF viewers including Chrome's built-in viewer, Firefox's PDF.js, and Apple Preview.

Why Use This Tool

Password-protecting PDF documents is essential for managing sensitive information across personal and professional workflows:

  • Protect confidential documents before sharing — Encrypt contracts, financial reports, medical records, or legal documents before sending via email or file-sharing services. Even if the file is intercepted, AES-256 encryption ensures the content remains unreadable without the password.
  • Control document distribution — Set an owner password with restricted permissions to distribute view-only versions of proposals, manuscripts, or design files. Recipients can read and print the document but cannot copy text, extract images, or edit content.
  • Comply with data protection regulations — GDPR, HIPAA, SOX, and PCI-DSS all require appropriate encryption for sensitive data in transit. Encrypting PDFs before sharing helps meet these regulatory requirements.
  • Secure archival storage — Encrypt sensitive documents before uploading to cloud storage or backup services. This adds a layer of protection beyond the storage provider's own encryption, following the defense-in-depth security principle.
  • Remove outdated restrictions — Decrypt PDFs that you own but no longer need protected. Legacy documents from old workflows, expired NDAs, or files where the security requirement has passed can be decrypted and archived without restrictions.
  • Prepare documents for signing — Some digital signature workflows require unencrypted PDFs. Decrypt a protected document, apply the signature, then re-encrypt with updated permissions that prevent further modification.

Privacy advantage: Server-based PDF encryption tools require uploading your unprotected document and transmitting your chosen password — both over the network to a third-party server. This tool processes everything in your browser. The unencrypted PDF, the password, and the encryption key material exist only in your device's memory and are discarded when you close the tab. No server logs, no data retention, no third-party access.

FAQ

What encryption does this tool use?
This tool uses AES-256 encryption (PDF encryption revision 5), which is the strongest standard defined in the PDF specification. AES-256 is the same cipher used by government agencies and financial institutions to protect classified and sensitive data. Every stream and string in the PDF is individually encrypted with a unique initialization vector.
What is the difference between the document password and the owner password?
The document password (user password) is required to open the PDF. Without it, the content is completely inaccessible. The owner password grants unrestricted access including the ability to change permissions and remove encryption. If you set only a document password, it serves both roles. Setting a separate owner password lets you distribute a restricted version while retaining full control.
Can I restrict specific actions like printing or copying?
Yes. The permission matrix lets you control eight individual actions: printing, high-quality printing, content copying, modifying, annotating, form filling, document assembly (inserting or deleting pages), and accessibility extraction. Restricted actions are enforced by compliant PDF viewers like Adobe Acrobat.
Is my PDF uploaded to a server?
No. The entire encryption and decryption process runs locally in your browser using the Web Crypto API for AES-256 operations. Your PDF and passwords never leave your device. This makes the tool safe for confidential documents including contracts, tax returns, medical records, and legal filings.
Can I recover a forgotten password?
No. AES-256 encryption is designed to be computationally infeasible to break without the correct password. If you forget the password, the encrypted PDF cannot be recovered. Always store your PDF passwords in a password manager or another secure location.
NavigateOpenEscClose