Skip to content
Back to all articles
Deep Dives

Understanding PDF Security: Encryption and Permissions Explained

A deep dive into how PDF password protection actually works — owner vs. user passwords, encryption algorithms, and what they really protect.

Daniel Morgan·Lead DeveloperJanuary 5, 202610 min read
Article

The Two Types of PDF Passwords

Most people think of "password-protecting a PDF" as a single action, but the PDF specification actually defines two distinct passwords with very different purposes:

User Password (Open Password)

The user password restricts who can open and view the document. Without this password, the PDF viewer cannot decrypt the file's contents — the user sees nothing. This is the stronger of the two protections because the document data is genuinely encrypted: without the key, the content is scrambled bytes.

Owner Password (Permissions Password)

The owner password controls what a user can do with the document after opening it. Permissions include:

  • Printing (low-resolution or high-resolution)
  • Copying text and images
  • Editing or modifying content
  • Filling in form fields
  • Annotating and commenting
  • Assembling the document (inserting, deleting, or rotating pages)

A PDF can have an owner password without a user password. In that case, anyone can open and read the document, but certain actions (like printing or copying) are restricted — at least in theory.

The Important Caveat

Owner-password permissions are enforced by the PDF viewer software, not by the encryption itself. A compliant viewer like Adobe Acrobat will respect the restrictions. However, non-compliant tools or open-source libraries can trivially ignore permission flags and allow full access to the document content. This means owner-password protection should be treated as a polite request, not a security guarantee.

If you truly need to prevent someone from accessing a document's content, use a user password (open password) — this applies actual encryption to the data.

Encryption Algorithms in PDF

The PDF specification has supported several encryption algorithms over its history:

RC4 (40-bit and 128-bit)

RC4 was the original encryption algorithm used in PDF. The 40-bit variant (PDF encryption revision 2) is now considered completely insecure — it can be cracked in seconds on modern hardware. The 128-bit variant (revision 3) is stronger but has known theoretical vulnerabilities and is considered deprecated by security professionals.

AES-128

Introduced in PDF version 1.6, AES-128 (Advanced Encryption Standard with 128-bit keys) is a significant improvement over RC4. AES is a symmetric block cipher approved by NIST and used globally for secure communications. PDF encryption revision 4 uses AES-128.

AES-256

The strongest encryption option available in PDF, AES-256 (revision 6) uses 256-bit keys and is the current gold standard. It is the same algorithm used by governments and financial institutions to protect classified information. No practical attack against AES-256 exists — brute-forcing a 256-bit key would take longer than the age of the universe with current technology.

Recommendation: Always use AES-256 when encrypting PDFs. SmartPDFSuite's Protect tool uses AES-256 by default.

How Password-Based Encryption Works in PDF

When you set a password on a PDF, the following happens:

1. Key derivation. The password you enter is run through a key-derivation function (a hash algorithm like SHA-256 combined with salt and iteration) to produce an encryption key.

2. Content encryption. The file's content streams — the binary data that represents text, images, and page layout — are encrypted using the derived key and the chosen algorithm (AES-256).

3. Metadata handling. By default, document metadata (title, author, subject) is not encrypted, so it remains visible in file browsers. Some tools offer an option to encrypt metadata as well.

4. Storage. The encrypted file, along with validation data (hashed password references and algorithm identifiers), is saved as the output PDF.

When a user opens the file:

1. The viewer prompts for the password.

2. The password is processed through the same key-derivation function.

3. The resulting key is tested against the stored validation data.

4. If it matches, the content streams are decrypted and the pages are rendered.

What PDF Encryption Does Not Protect

Understanding the limits of PDF security is as important as knowing its strengths:

  • Screen capture. Once a document is decrypted and displayed on screen, there is nothing stopping someone from taking a screenshot.
  • Memory extraction. On a compromised system, the decrypted content exists in RAM and can potentially be extracted.
  • Weak passwords. AES-256 is unbreakable, but the password that generates the encryption key can be guessed. A four-digit numeric password can be cracked in seconds. Use long, complex passwords.
  • Metadata leakage. Unless explicitly encrypted, the document's title, author, and creation date remain visible.
  • Permissions without a user password. As mentioned earlier, owner-password permissions are advisory, not cryptographic.

Best Practices for PDF Security

1. Always use AES-256. Avoid tools that default to older RC4 encryption.

2. Set a strong user password. At least 12 characters with a mix of cases, numbers, and symbols.

3. Don't rely solely on owner passwords for sensitive content. If the content is truly confidential, use unit-level access controls (secure file sharing, encrypted storage) in addition to PDF encryption.

4. Encrypt metadata when possible. Prevent casual exposure of document titles and author names.

5. Communicate passwords securely. Never send the password in the same email as the PDF. Use a separate channel (phone, messaging app, in person).

6. Keep the unencrypted original in secure storage. If you forget the password, encrypted content is irrecoverable by design.

Frequently Asked Questions

Can someone crack an AES-256 encrypted PDF?

Not through brute force on the encryption — that is computationally infeasible. However, they could attempt to crack the password via dictionary attacks or brute-force guessing if the password is weak. Use a strong password.

Is it safe to email a password-protected PDF?

It is safer than emailing an unprotected one, but the security depends on the password strength and how securely you share the password. For highly sensitive documents, consider using a secure file-sharing platform in addition to PDF encryption.

What happens if I forget the password?

If you set a user (open) password and lose it, the content is permanently inaccessible. There is no backdoor in AES encryption. This is a feature, not a bug — it means your documents are genuinely secure.

Do all PDF tools support AES-256?

No. Some older or basic tools only support RC4 or AES-128. Always verify which encryption algorithm is being used. SmartPDFSuite uses AES-256 exclusively.

Daniel Morgan

Lead Developer at SmartPDFSuite

Daniel leads engineering at SmartPDFSuite, specializing in PDF internals, document encryption, and high-performance file processing. He writes in-depth guides drawing on hands-on development experience.

Explore Our PDF Tools

Try any of our free PDF tools today — merge, compress, convert, sign, and more. No sign-up required.

Browse Tools

We use cookies

We use cookies and similar technologies to enhance your experience and serve personalized ads through Google AdSense. By clicking "Accept All," you consent to the use of all cookies. You can manage your preferences or learn more in our Privacy Policy.