Skip to content
epitometool

PDF password protect (AES)

PDF tools

Add a password and permission restrictions to a PDF in your browser.

Updated

Up to 200 MB. PDF stays on your device — encryption runs locally in a worker.

  • Vpaste PDF

Quick start

How to password-protect a PDF

Add 128-bit AES encryption + permission flags to a PDF, entirely in your browser.

  1. Step 1
    Drop or pick a PDF

    Drag the PDF onto the drop zone, click to pick it, or paste from the clipboard. The file stays on your device.

  2. Step 2
    Set a password and permissions

    Enter a strong password (12+ characters with mixed character classes), confirm, and pick which actions readers are allowed to perform.

  3. Step 3
    Protect and download

    Hit Protect PDF. A Web Worker encrypts the document with @cantoo/pdf-lib and you download <basename>-protected.pdf.

In-depth guide

Add a password to a PDF in your browser — full guide

This tool adds 128-bit AES encryption to a PDF so that opening it requires a password. Everything runs locally — the file is encrypted by @cantoo/pdf-lib (a maintained fork of pdf-lib with AES support added) inside a Web Worker in your browser. The file bytes never reach a server, never get logged, and your password is never sent anywhere.

When password protection actually helps

PDF passwords are useful for:

  • Sharing sensitive personal documents (tax forms, ID copies, medical records) over email, messengers or cloud drives where the link itself can leak.
  • Compliance checklists that require "at-rest" encryption on PDFs carrying personal data.
  • Adding friction against casual snooping by someone who finds the file on a shared drive or backup.

What it's not a substitute for:

  • Strong access controls on the underlying storage. A PDF password protects the file but anyone with read access to the bytes can attempt to crack it.
  • End-to-end encryption for streaming / transit. For that, use a proper E2EE channel (Signal, encrypted email) — don't rely on PDF passwords for transport security.

User password vs owner password

Store the owner password somewhere safe — there is no recovery. If you lose it, the document remains openable but its permission flags can never be changed.

PDF supports two separate passwords:

  • User password (also called the "open" password) — required just to view the document. Without it, every PDF reader refuses to render the file.
  • Owner password — required to change the permission restrictions ("can the reader print? copy text? edit?"). Knowing the owner password bypasses all permission limits.

By default this tool uses the same value for both, which is the safest behaviour: anyone who can open the file has full rights to it. Tick "Use a separate owner password" only when you want to hand the user password to readers but retain ultimate control yourself — useful for "view-only with my approval to edit" workflows.

Permission flags explained

PDF defines seven permission flags. These are honoured by all compliant readers (Acrobat, Preview, Foxit, browser viewers). Each flag below is what the reader is allowed to do — uncheck to forbid:

  • Printing — output to paper or to PDF.
  • Copying text + images — select and copy content from the page.
  • Modifying content — change page content with PDF editors.
  • Annotations — add highlights, sticky notes, drawings.
  • Form filling — fill out interactive AcroForm fields.
  • Accessibility tools — screen readers can extract text. Leave on unless legally required to disable.
  • Page assembly — reorder, rotate, insert and delete pages.

A common "view only" preset: printing on, accessibility on, everything else off.

Honest limits — what PDF encryption protects against

PDF encryption protects the file bytes. Once a legitimate reader has the password, the decrypted content lives in memory and can be re-saved, screenshotted, printed to a fresh PDF (stripping all permissions), or rendered to images via any headless tool. Permission flags are advisory — non-compliant tools can simply ignore them.

What protection you actually get:

  • Encryption-at-rest — without the password, the file is genuinely unreadable. Brute-forcing a strong password is impractical.
  • Honest-reader compliance — Acrobat, Preview, Foxit, browser viewers etc. respect the permission flags, so casual users can't print / copy / edit.

What it doesn't give you:

  • DRM — once decrypted, the content can be freely re-exported.
  • Tamper detection — for that you need PDF digital signatures, which this tool does not add.
  • Strong protection against weak passwords — PDF passwords are subject to standard offline brute-force / dictionary attacks. Use a long, random password (12+ characters with mixed character classes).

Frequently asked questions

Is my PDF uploaded anywhere?

No. The PDF is loaded and encrypted by @cantoo/pdf-lib running inside a Web Worker in your browser. Open DevTools → Network while protecting and you'll see zero outbound requests for your file.

What kind of encryption is applied?

128-bit AES (PDF security handler revision 4). This is the same level of protection used by most modern PDFs from Office / Acrobat / LibreOffice. Anyone trying to open the file without the password gets the standard PDF reader "this document is password protected" prompt.

What's the difference between the user and owner password?

The user (or "open") password is required to open the file. The owner password is required to bypass the permission restrictions (print / copy / edit toggles). By default we use the same value for both — that's the safest behaviour for most users. Tick "Use a separate owner password" only if you want to share the user password with readers and keep full control yourself.

What permissions can I restrict?

Printing, copying text + images, modifying content, adding annotations, filling form fields, accessibility tool access, and page assembly (reorder / rotate / delete pages). These are the standard PDF permission flags defined by the ISO 32000 PDF spec.

Should I disable accessibility tool access?

Almost never. Disabling "Allow accessibility tools" prevents screen readers from reading the document — that locks out blind and low-vision users. Leave it on unless you have a very specific legal reason to disable it.

Can a determined attacker bypass these permissions?

Yes — PDF permissions are advisory. Compliant readers (Adobe Reader, Preview, Foxit, browser viewers) respect them, but bad-faith tools can ignore the flags entirely. Permissions are useful for honest readers; for actual data confidentiality you need a strong user password.

How strong should my password be?

Use at least 12 characters with a mix of upper, lower, digits and symbols. PDF passwords have known brute-force attacks against short / common values. The strength indicator below the password field is a quick sanity check.

Can I encrypt a PDF that's already encrypted?

No — you need to unlock it first using /tools/pdf-unlock. Then come back here to re-encrypt with the new settings.

Will the password survive editing / merging / converting?

It depends on the downstream tool. Most editors will preserve encryption, but converting to another format (DOCX, images, etc.) decrypts on read and the output is unencrypted. If you need protection on the output of another tool, run that tool first and re-protect at the end.

Why isn't 256-bit AES offered?

Older PDF readers and some corporate environments still trip on AES-256 (PDF security handler revision 6). 128-bit AES is universally supported and is plenty for protecting against opportunistic access. If you have a specific need for AES-256, let us know.

Keep exploring

More tools you'll like

Hand-picked utilities that pair well with the one you're on — all free, client-side, and zero-signup.

More pdf tools

See all →

Popular across EpitomeTool

Browse all →
Browse all 59+ free tools