2026-05-11 · 10 min read
PDF Security: Passwords, Encryption, and Redaction Explained
Most people think of PDF security as “the file with a password on it.” That’s one piece. The full picture is messier and a lot more interesting: PDFs support two kinds of passwords, three encryption strengths, partial restrictions, and redaction — and each of them protects against a very specific threat. Get the wrong combination and you ship a document that looks secure but isn’t. Below is what each feature actually does and when to use it.
Two kinds of passwords
The PDF specification (ISO 32000) defines two distinct password slots that do different jobs:
- User password (open password): required to view the document at all. Without it, the file is encrypted bytes.
- Owner password (permissions password): doesn’t block opening — it controls what you can do once open: print, copy text, edit, fill forms, extract pages.
These can be set independently. A common configuration: no user password (anyone can read), but an owner password that disables printing and copying. The catch — a critical catch — is that owner password restrictions are advisory. They depend on the viewer choosing to honour them. Adobe Reader and most browsers do. Free tools like qpdf and many third-party readers will happily ignore them.
Translation: the owner password is a polite request, not a wall. Use it for low-stakes friction (discouraging casual copying) and never for actually keeping secrets.
Encryption strength: 40-bit, 128-bit, AES-256
The encryption you choose when setting a password matters more than the password itself. PDF supports three legacy and one modern algorithm:
| Algorithm | Strength | Status |
|---|---|---|
| RC4-40 | 40-bit key | Broken since 2001 — crackable in seconds |
| RC4-128 | 128-bit key | Weak — practical attacks exist |
| AES-128 | 128-bit key | Acceptable |
| AES-256 | 256-bit key | Current standard — use this |
AES-256 with a strong password (12+ random characters or a 5-word passphrase) is genuinely secure — there’s no public attack faster than brute-forcing the password itself. Brute-forcing a properly random passphrase would take longer than the universe has existed.
With a weak password (“Password123,” a name, a date), none of this matters. Off-the-shelf tools like John the Ripper or Hashcat can run hundreds of thousands of password guesses per second against a PDF. The encryption is only as strong as the password feeding it.
How to set a password (without paying)
On macOS, Preview can encrypt: File → Export → check “Encrypt” → set password. It uses AES-128 by default. For AES-256 you need a proper tool. The free option is qpdf:
# AES-256 with both user and owner passwords
qpdf --encrypt openpw ownerpw 256 -- input.pdf output.pdf
# AES-256, anyone can open, no printing or copying
qpdf --encrypt "" ownerpw 256 \
--print=none --modify=none --extract=n -- in.pdf out.pdf
# Remove a password (if you know it)
qpdf --decrypt --password=openpw input.pdf output.pdfOn Windows, the free Foxit Reader and PDF24 can both encrypt with AES-256. Avoid online “encrypt PDF” tools that require upload — you’ve just handed your supposedly-private document to a third party in plaintext.
Sharing the password
The most common security failure isn’t weak encryption — it’s emailing the password in the same thread as the document. If you wouldn’t leave the front door key under the welcome mat, don’t put the password in the same inbox as the file. Send the PDF by email, the password by Signal, SMS, or a phone call. Out of band, every time.
Redaction: getting rid of information for good
Encryption protects the file from outsiders. Redaction does the opposite job — permanently removing information from a document so the people who can open it still can’t see the redacted parts.
Redaction is harder than it looks. The classic mistake is drawing a black rectangle on top of the text and saving. The text is still in the underlying PDF stream — anyone can copy-paste it out, run a text-extraction tool, or open the file in a different viewer and see right through the “redaction.” This has caused real leaks in court documents, government FOIA releases, and corporate filings — multiple times a year, every year.
True redaction does three things:
- Removes the underlying text and image data from the PDF stream.
- Removes any matching text in metadata (author, title, keywords).
- Replaces the area with a solid block so nothing remains visually.
Tools that do real redaction: macOS Preview (Tools → Redact, available in Sonoma+), Adobe Acrobat Pro’s Redact tool, and the open-source pdf-redact-tools by The Intercept. Avoid annotation-based approaches — “black highlighter” is not redaction.
The metadata problem
Even after careful redaction, PDFs leak through metadata. Author name, software version, original filename, creation timestamp, and editing history all sit in the document and travel with it. Document leaks have been traced back to authors via these fields more than once. Strip them before sending anything sensitive:
# Strip metadata with exiftool
exiftool -all:all= -overwrite_original document.pdf
# Or with qpdf
qpdf --linearize --object-streams=generate \
--remove-restrictions in.pdf out.pdfDigital signatures vs. encryption
These are often confused. Encryption protects content from being read. A digital signature does the opposite — it doesn’t hide anything, it proves who signed and that the document hasn’t been altered since. They’re complementary: a contract might be both signed (proves authorship and integrity) and encrypted (only the recipient can read). Use signatures for legal authenticity, encryption for confidentiality.
A practical checklist for sensitive PDFs
- Encrypt with AES-256 and a 5-word random passphrase.
- Send the password out of band — different channel from the file.
- Redact properly with a tool that removes underlying data, not just hides it.
- Strip metadata before sending.
- Sign digitally if authenticity matters.
- Verify the result by opening the “final” file in a different viewer than you used to create it — this catches the “black box on top” redaction failure 100% of the time.
For more on direct PDF editing — including light-weight tasks like annotation and form fill — see our guide to editing PDFs without Adobe. Done well, PDF security is genuinely strong. Done sloppily, it’s just paper with a fancier disguise.