Password-Protect a PDF with AES-128 and an Opening Password
Protect PDF applies AES-128 locally with an opening password. Printing, copying, editing, and annotation settings are reader-dependent flags, not a security boundary.
The protection can be removed later with a correct password and supported encryption. Unlocking or otherwise re-saving a certificate-signed PDF can invalidate its digital signature.
Why password protect a PDF
PDF is widely used for invoices, contracts, reports, and ID scans. When a PDF is not encrypted, anyone who obtains the file can generally open its contents; an opening password adds access control for supported readers.
Common scenarios where protection matters:
- Tax documents to your accountant — W-2s, 1099s, and returns contain SSNs, income, and bank details.
- Contracts with clients — NDAs, SOWs, and agreements often include pricing, terms, and personal data.
- Sensitive records — Insurance forms, lab results, and prescriptions may contain private information.
- Intellectual property — Draft patents, research papers, and product specs are valuable targets.
- Confidential reports — Board reports, financial statements, and HR documents need restricted access.
Two types of PDF passwords
PDF encryption supports two distinct password types, and they serve different purposes:
Open password (user password) — The output uses the PDF Standard security handler with AES-128. A compatible reader needs the correct user or owner password to decrypt and open it. A weak, reused, or guessable password weakens practical protection.
Permissions password (owner password) — Allows opening the PDF but restricts specific actions: printing, copying text, editing, or filling forms. The restriction relies on PDF reader software honoring the flag, which means determined users with the right tools can sometimes bypass it.
For genuine confidentiality, set an open password. Permissions passwords add a layer of convenience control but should not be your only line of defense for sensitive content.
How to protect a PDF with PDFGem
The workflow has five steps:
- Open Protect PDF — no account, no installation.
- Drop your PDF into the upload area or click to browse your files.
- Set your password — use a long, unique password and store it safely. Avoid common words, predictable patterns, and reuse.
- Click Protect — AES-128 encryption is applied to the PDF in your browser.
- Download the encrypted PDF — the protected file saves directly to your device.
The file and password are processed locally in the browser; PDFGem does not send the PDF contents to a server to apply protection. The page may still make ordinary network requests that do not contain your document. Also consider the security of your browser, extensions, device, and download folder.
This matters especially for a security tool. When you're encrypting a document because it contains sensitive information, the last thing you want is to upload that same document to a third-party server first.
How strong is AES-128 encryption
PDFGem normalizes the output header to PDF 1.7. In the bundled encryption library, that selects the Standard security handler with revision 4, an AESV2 crypt filter, and a 128-bit key: AES-128.
The password is part of the security of the result. Attackers can test common or reused passwords without exhaustively searching the AES key space, so choose a long, unique value and keep it in a password manager or another appropriate secure store.
AES-128 does not make every password equally safe and does not control what an authorized recipient does after opening the file.
Building a strong password
For this use case, prioritize a password that is long, unique to the document or exchange, difficult to guess, and stored so you do not lose access.
Practical recommendations:
- Prefer length and unpredictability — a longer random password or uncommon passphrase is generally harder to guess than a short pattern.
- Avoid personal or document clues — names, dates, company terms, and filename fragments are easier to test.
- Do not assume symbols guarantee strength — predictable substitutions remain guessable.
- Never reuse passwords — If you use the same password for your PDF and your email account, a breach in one compromises the other.
- Use a password manager — Tools like Bitwarden or 1Password generate and store strong passwords. You don't have to remember them.
Sharing the password safely
Encrypting a PDF and then emailing the password in the same thread defeats the purpose. If someone intercepts the email, they get both the locked file and the key.
Better approaches:
- Separate channel — Send the PDF by email and the password by text message, phone call, or messaging app (Signal, WhatsApp).
- Password manager shared vault — If both people use a password manager with encrypted sharing, send the password through its shared-vault feature and follow that provider's access and recovery guidance.
- Pre-agreed password — For recurring exchanges (monthly reports to the same client), agree on a password in advance during a meeting or call.
When to add extra security layers
Password protection is one layer. For high-stakes documents, consider stacking these tools:
- Flatten PDF — PDFGem flattens compatible AcroForm fields only. It does not flatten annotations, make a file tamper-proof, or prevent later editing.
- PDF Watermark — A visible label can communicate status, but it is not access control and does not make redistribution traceable by itself.
- Sign PDF — This tool adds a visible signature image, not a certificate-based digital signature, identity check, or cryptographic integrity proof.
Choose each feature for its actual purpose. Password encryption controls opening; reader permission flags are advisory; flattening compatible form fields changes presentation; watermarks and visible signature images communicate information but do not prove authenticity.
Limitations to keep in mind
Password protection is a strong deterrent, but it is not magic:
- Weak passwords can be guessed — common, short, reused, or predictable passwords reduce practical protection.
- Permissions passwords are advisory — Some PDF tools ignore permissions restrictions and allow printing or copying regardless. For real protection, use an open password.
- Once decrypted, the content is free — After entering the password, the recipient can screenshot, print, or copy the content. Encryption controls access, not what happens after access is granted.
- PDFGem has no recovery flow — keep the password safely. Whether another recovery method exists depends on the file, password, and software; do not rely on one.
These aren't weaknesses of PDFGem — they're inherent to how PDF encryption works. Understanding them helps you make better security decisions.
If you're interested in how online PDF tools handle your files more broadly, read our guide on PDF privacy and what happens when you upload documents to online tools.
Ready to encrypt? Open Protect PDF, choose a strong unique password, download the AES-128 encrypted copy, and verify it in the PDF reader your recipient will use.
Frequently Asked Questions
What type of encryption is used?
PDFGem writes PDF 1.7 Standard security revision 4 with an AESV2 crypt filter and a 128-bit key: AES-128.
What's the difference between user and owner password?
The user password is required to open the PDF. The owner password sets permission flags, but their enforcement depends on the PDF reader.
Can I restrict printing or copying?
You can request restrictions on printing, modifying, copying, and annotations. These flags are enforced by compatible readers and may be ignored by other software.
Is my password stored anywhere?
No. Your password is used only during encryption in your browser and is never sent to any server.
Can the protection be removed later?
Yes, with the correct password and supported encryption. Unlocking or otherwise re-saving a certificate-signed PDF can invalidate its digital signature.