You finished a contract, a tax filing, or a confidential report. Before you attach it to an email or drop it into a shared folder, you want to make sure only the intended recipient can open it. The standard answer is to password-protect the PDF — but the details matter more than most people realize.
PDF encryption has been part of the spec since the 1990s, and it has gone through several revisions with very different security properties. This guide covers the practical how-to for every major platform, explains what's actually happening under the hood, and lays out best practices for choosing passwords that hold up.
Two kinds of PDF passwords
The PDF specification defines two distinct password types, and confusing them is one of the most common mistakes people make.
User password (open password)
This is the password required to open and view the document. Without it, the file is unreadable — the entire content stream is encrypted. Anyone who tries to open the file in any PDF reader will see a password prompt. If they don't know the password, they see nothing.
Owner password (permissions password)
This password controls what people can do with the document after opening it — printing, copying text, editing, extracting pages. The document itself opens without a prompt (or with just the user password), but certain actions are restricted. The owner password is needed to change or remove those restrictions.
Here's the critical thing to understand: the owner password is enforcement by convention, not by cryptography. The content is still accessible; the PDF reader is simply instructed to block certain actions. Some tools and libraries ignore these permission flags entirely. If you need real security — if someone should not be able to read the content at all — you need a user password (open password), not just an owner password.
Encryption standards in PDF
Not all PDF encryption is equally strong. The encryption algorithm depends on the PDF version and the tool that applied the protection:
- 40-bit RC4 (PDF 1.1–1.3). This is the original encryption scheme from the late 1990s. A 40-bit key can be brute-forced on modern hardware in minutes. If your tool offers this option, skip it — it provides effectively zero security today.
- 128-bit RC4 (PDF 1.4–1.6).Significantly stronger than 40-bit, but RC4 itself has known weaknesses. It's adequate for casual protection but would not meet modern security standards for sensitive data.
- 128-bit AES (PDF 1.6+). AES replaced RC4 as the recommended cipher. This is solid, widely supported encryption. Most tools produced in the last decade default to this.
- 256-bit AES (PDF 2.0). The strongest option currently available. If your tool supports it, use it. Support has been broadly available in major PDF readers since around 2017.
When you password-protect a PDF, check what encryption standard the tool is using. Many older or simpler tools still default to 128-bit RC4. If you have a choice, always select AES-256.
How to password protect a PDF on macOS
Preview, the built-in PDF viewer on macOS, supports encryption out of the box. No additional software needed.
- Open the PDF in Preview.
- Go to File > Export as PDF (not "Save" — that won't show encryption options).
- Click Show Details if the options panel is collapsed.
- Check the Encrypt checkbox.
- Enter and verify your password.
- Click Save.
Preview uses 128-bit AES encryption. It only sets a user password (open password) — there are no options for granular permissions like disabling printing or copying. For most personal use this is sufficient. If you need permissions control or AES-256, you'll need a different tool.
One gotcha: Preview sometimes re-renders the PDF during export, which can subtly change formatting on complex documents. For simple documents (text, basic images) it's fine. For documents with precise layouts, verify the output.
How to password protect a PDF on Windows
Windows doesn't have a built-in PDF encryption tool. Microsoft Edge can view PDFs but can't add passwords. You have a few options:
Microsoft Word (Office 365 or 2019+)
- Open the PDF in Word (it will convert it to a Word document — formatting may shift).
- Go to File > Save As and choose PDF as the format.
- Click Options and check Encrypt the document with a password.
- Enter your password and save.
This works but involves a PDF-to-Word-to-PDF round trip. The formatting may not survive intact, especially for documents with complex layouts, tables, or embedded fonts. It's fine for simple text documents.
LibreOffice (free)
LibreOffice Draw can open PDFs and export with encryption:
- Open the PDF in LibreOffice Draw.
- Go to File > Export as PDF.
- In the PDF Options dialog, go to the Security tab.
- Click Set Passwords.
- Enter an open password and optionally a permissions password.
- Configure permission checkboxes (printing, copying, editing) as needed.
- Click Export.
LibreOffice gives you both password types and granular permission controls. The encryption is 128-bit AES by default. Like Word, it re-renders the document during export, so check that the output matches the original.
Command-line methods
qpdf
qpdf is a lightweight, open-source command-line tool specifically designed for PDF manipulation. It handles encryption cleanly without re-rendering the document — the internal structure stays intact.
qpdf --encrypt USER_PASSWORD OWNER_PASSWORD 256 -- input.pdf output.pdfThe 256 specifies AES-256 encryption. You can use 128 for AES-128 or 40for the legacy RC4 (don't). To set only a user password with no owner password, pass an empty string for the owner password:
qpdf --encrypt mypassword '' 256 -- input.pdf output.pdfTo add permission restrictions:
qpdf --encrypt USER_PASS OWNER_PASS 256 --print=none --modify=none --extract=n -- input.pdf output.pdfInstall with brew install qpdf on macOS or sudo apt install qpdf on Ubuntu.
Ghostscript
Ghostscript can also apply encryption, though it re-renders the PDF in the process:
gs -sDEVICE=pdfwrite -dCompatibilityLevel=2.0 -sOwnerPassword=OWNER -sUserPassword=USER -dEncryptionR=6 -dKeyLength=256 -dNOPAUSE -dBATCH -sOutputFile=protected.pdf input.pdfThe -dEncryptionR=6 -dKeyLength=256 flags select AES-256. Use qpdf if you want to preserve the original PDF structure exactly; use Ghostscript if you also want to compress or optimize the file during encryption.
Browser-based tools
If you don't want to install anything, our Protect PDF tool lets you add a password directly in your browser. The encryption happens client-side using the Web Crypto API — your file never leaves your device, and no data is sent to a server.
This is particularly relevant for sensitive documents. Many online PDF tools require you to upload your file to their servers for processing. If the document contains financial data, legal agreements, medical records, or anything confidential, uploading to a third-party server defeats the purpose of encrypting it. Client-side encryption means the unprotected version of the file never exists anywhere except your own browser tab.
Password best practices
The encryption algorithm is only half the equation. A weak password makes strong encryption irrelevant. Here's what matters:
Length over complexity
A 20-character passphrase made of common English words (correct horse battery staple) is dramatically harder to brute-force than an 8-character string of random symbols (x#9!Kp2$). Each additional character multiplies the search space exponentially. Aim for at least 12 characters — 16 or more is better.
Avoid predictable patterns
Don't use the document contents as the password ("contract2026", the client's name, the project code). Attackers who know what the document is about will try these first. Don't use passwords you've used elsewhere — credential stuffing from other breaches could expose it.
Use a password manager
Generate a random password in your password manager and store it there. When you send the encrypted PDF to someone, communicate the password through a different channel — a text message, a phone call, a separate email. Never put the password in the same email as the PDF attachment.
Consider the threat model
PDF encryption protects files at rest and in transit. It does not protect against someone who has the password sharing the decrypted content. It does not protect against screen capture, photographing the screen, or re-typing the text. If you need to control what someone does after they've read the document, you need DRM or a secure document viewer with access controls — not PDF encryption.
Common mistakes
Using only an owner password
This is the number-one mistake. People set a permissions password thinking the document is secured, but anyone can open and read it — they just can't (in compliant readers) print or copy text. And as mentioned earlier, many tools ignore permission restrictions entirely. If the content is sensitive, always set a user (open) password.
Emailing the password alongside the file
If an attacker intercepts the email, they get both the encrypted file and the key to open it. Send the password through a separate channel. A text message, a Signal message, or a phone call all work. The goal is to ensure that compromising one communication channel doesn't give access to both the file and its password.
Forgetting to verify the output
After encrypting, close the file completely and reopen it. Confirm the password prompt appears. Confirm you can enter the password and view the content. Confirm that permission restrictions (if set) are applied. It takes 30 seconds and saves you from sending an unprotected file thinking it was locked.
Using weak encryption defaults
Some tools default to 40-bit or 128-bit RC4 for compatibility with very old PDF readers. Unless you need to support Acrobat 5 (released in 2001), there's no reason to use anything weaker than AES-128. Check the encryption settings before saving.
FAQ
Can I remove the password later?
Yes. Open the protected PDF with the password, then save or export it without encryption. In Preview on macOS, open the file, uncheck Encrypt during Export as PDF, and save. With qpdf: qpdf --decrypt --password=YOURPASS input.pdf output.pdf. Or use our Unlock PDF tool in the browser.
Does password protection reduce quality?
No. Encryption operates on the raw byte stream of the PDF. It does not recompress images, alter fonts, or change the visual content in any way. The encrypted file is the same size (sometimes a few bytes larger due to encryption metadata) and looks identical when decrypted. Tools that re-render during encryption (like Ghostscript) might introduce subtle changes — but that's the re-rendering, not the encryption itself.
Is PDF encryption strong enough for sensitive data?
AES-256 PDF encryption with a strong password is considered adequate for most business and personal use cases. It will stop casual access, opportunistic snooping, and unsophisticated attackers. It would not meet the requirements for classified government documents or data subject to specific regulatory encryption mandates (like FIPS 140-2 validated modules), but for contracts, tax documents, medical records in transit, and similar use cases, it's appropriate.
Can I batch-protect multiple PDFs at once?
With command-line tools, yes. A simple shell loop handles it:
for f in *.pdf; do
qpdf --encrypt mypassword '' 256 -- "$f" "protected_$f"
doneThis encrypts every PDF in the current directory with the same password. Adjust as needed for different passwords per file (pull from a CSV, use the filename as a seed for a generated password, etc.).