PDF Protector

Local qpdf encrypt {{ engineBadge }} {{ sourceBadge }} {{ passwordBadge }} {{ outputBadge }} {{ encryptionTargetLabel }}

Source PDF:

Drop or browse one PDF. File bytes stay in this browser for structure checks, qpdf encryption, and the protected download.

Open password:

Use a long unique passphrase; the report records only length and strength, not the password value.

Owner password:

Recommended when restrictions are planned; leave blank only when the production engine will generate/store it safely.

Permission profile:

Choose the intended reader behavior for printing, copying, and editing after the open password is accepted.

Encryption target:

Select the qpdf standard security target for the protected PDF written in this browser session.

Encrypt metadata:

Keep metadata encrypted unless a recipient requires title or author fields to remain visible.

Authorization confirmation:

Required before any production encryption worker should run.

Target filename:

Leave blank to derive a future output name from the selected PDF.

Browser scan limit:

Raise only on a capable desktop browser. Production encryption should run in a bounded worker.

Gate	Status	Evidence	Next action	Copy
{{ row.gate }}	{{ row.status }}	{{ row.evidence }}	{{ row.action }}

Signal	Value	Detail	Copy
{{ row.signal }}	{{ row.value }}	{{ row.detail }}

Setting	Value	Handoff	Copy
{{ row.setting }}	{{ row.value }}	{{ row.handoff }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A PDF often leaves the place where it was created. It may be attached to a board pack, sent to a client, shared with reviewers, archived with business records, or moved through ordinary file-sharing systems. Password protection is useful when the document should remain a normal PDF but still require a secret before the pages can be opened.

PDF protection has two passwords with different jobs. The open password, sometimes called the user password, controls access to the encrypted document. The owner password controls security changes and is tied to permission flags such as printing, copying text, editing pages, filling forms, adding annotations, or assembling pages. The open password is the gate. The permission flags are instructions that conforming PDF readers are expected to honor after the file is decrypted.

Those permission flags are often misunderstood. They are not the same as redaction, digital signatures, managed document rights, or secure storage. Once a recipient can decrypt and view a file, software behavior matters: a conforming reader should respect the restrictions, but a tool that ignores PDF permissions may still expose content after the password has been supplied. Protection should therefore be treated as access control for the document copy, not as a guarantee that every downstream program will enforce every rule.

PDF password protection concepts
Concept	What It Controls	Common Mistake
Open password	Whether the encrypted PDF can be opened and decrypted.	Using a short or reused password because the file itself feels protected.
Owner password	Who can change security settings or bypass permission restrictions.	Leaving it the same as the open password when restrictions are supposed to matter.
Permission flags	Requested reader behavior for printing, copying, editing, forms, annotations, and assembly.	Treating permissions as cryptographic proof that no reader can copy or print content.
Metadata encryption	Whether title, author, and other document metadata stay hidden with the protected content.	Protecting pages while leaving workflow clues visible in document properties.

Reader compatibility also shapes the choice. AES-256 standard security is the normal target for current protected copies, while AES-128 compatibility may be needed when a recipient uses an older or limited reader. Metadata encryption should stay on unless a receiving system explicitly needs visible title or author fields. Signed or already encrypted PDFs need extra care because rewriting the file can invalidate signatures or require owner-approved access to existing security settings.

Protect only documents you own, administer, or have explicit permission to handle.
Use a long unique passphrase and share it through a separate approved channel.
Remove sensitive content before protection; do not rely on password protection as redaction.
Test the protected copy in the reader your recipient will use, especially when permission restrictions matter.

The practical finish is not just an encrypted file. It is a new PDF that opens with the intended password, rejects an incorrect password, preserves the pages you expect, and behaves acceptably in the recipient's PDF reader.

How to Use This Tool:

Start with one owner-approved PDF and avoid placing password values in notes, screenshots, exported reports, or chat.

Select the source with Browse PDF or the drop area. The local scan checks the PDF header, tail marker, object hints, encryption dictionary, signature markers, interactive content, and metadata signals.
Turn on Authorization confirmation. The Protection Gate remains blocked until ownership or explicit permission is confirmed.
Enter an Open password. Aim for Strong or High; Weak and Fair passwords stop the protection run.
Choose the Permission profile. If the profile restricts printing, copying, forms, annotation, assembly, or editing, enter a distinct Owner password.
Keep AES-256 PDF standard security for ordinary protected copies. Use AES-128 compatibility mode only for a recipient reader that needs it, and keep Encrypt metadata on unless visible metadata is required.
Open Advanced only when the target filename or Browser scan limit needs adjustment. The default local work limit is 80 MB, and the control accepts 10 MB to 200 MB.
Run Protect PDF after the gate rows pass. If the source is oversized, already encrypted, signed, missing a PDF header, or using a weak open password, correct that condition before continuing.
Download the result from Protected PDF, then read Password verification and test the file with the intended password and a deliberately wrong password in a PDF reader.

Interpreting Results:

Protection Gate is the readiness checklist. A trustworthy run has confirmed authorization, a valid PDF source, a file within the configured local limit, a strong open password, suitable owner-password handling, no existing encryption blocker, no signature blocker, and an output that passes password verification.

File Evidence is a practical structure check, not a forensic PDF audit. PDF header and EOF marker catch obvious wrong files and incomplete downloads. Encryption dictionary set to found means the source already appears protected and should not be protected again without an approved rewrite path. Signature markers need review because encryption rewrites can invalidate signed byte ranges.

Password verification carries the most weight after encryption. The protected copy should contain an encryption marker, open with the supplied open password, and reject a wrong password. If verification reports review, do not share the download until the file is regenerated or tested through another approved PDF workflow.

A Strong or High password label is not proof that the password is new, private, or safe to share broadly. Use the meter as a first-pass warning, then manage the secret through your normal password manager or secret-sharing process.

Technical Details:

PDF standard security encrypts the document with a file encryption key. The open password and owner password are used by the standard security handler to recover or authorize use of that key. Permission flags record requested operations, but after a reader has enough information to decrypt the file, enforcement depends on the reader honoring the PDF security rules.

A protected copy is a rewritten PDF, not a generic archive wrapped around the original. That distinction is important for compatibility because PDF readers understand document-open passwords, owner passwords, permission flags, encrypted metadata, and the security dictionary. It also explains why signed or already encrypted PDFs require review: changing bytes can break signatures, and existing security settings may require owner-approved handling.

Rule Core:

The protection run follows a gate-and-rewrite pattern. File checks establish that the selected source is a suitable unencrypted PDF, password checks prevent weak or ambiguous secrets, and output checks verify password behavior before the download is treated as ready.

PDF protection readiness rules
Check	Pass Condition	Why It Matters
Authorization	Authorization confirmation is on.	Protection should only be applied to documents the user owns, administers, or is allowed to handle.
PDF source	The selected file starts with a PDF version header.	A renamed image, text file, or partial download should not be sent to encryption.
Local work limit	File size is no larger than the configured 10 MB to 200 MB limit.	Browser-based processing can duplicate memory while reading and rewriting the PDF.
Existing encryption	No sampled `/Encrypt` marker is found.	Already protected PDFs need authenticated owner-approved rewriting instead of another blind pass.
Signature markers	No visible signature or timestamp markers are found.	Changing encrypted bytes can invalidate a signed byte range.
Output verification	The output opens with the supplied password and rejects a wrong password.	The download should not be trusted until password behavior is tested.

Permission Profiles:

PDF permission profile meanings
Profile	Reader Behavior Requested	Owner Password Guidance
Print allowed, block copy/edit	Full printing remains available; extraction, annotations, forms, assembly, and editing are restricted in conforming readers.	Use a distinct owner password.
View only	Printing, extraction, annotations, forms, assembly, and editing are restricted in conforming readers.	Use a distinct owner password.
Print/copy allowed, block edit	Printing and text or image extraction remain available; document editing, annotations, and assembly are restricted.	Keep the owner password separate when edit restrictions matter.
Open password only	The PDF needs a password to open, but reader permissions remain broadly available after opening.	A separate owner password is not required by the visible gate.

Formula Core:

The password meter estimates a brute-force search space from character length and detected character groups. It does not check reused, common, compromised, patterned, or organization-specific passwords.

\begin{matrix} A & = & a_{lower} + a_{upper} + a_{digit} + a_{symbol} \\ E & = & L \times \log_{2} (\max (A, U)) \end{matrix}

Password strength formula symbols
Symbol	Meaning
`L`	Password length in characters.
`A`	Estimated alphabet size from lowercase, uppercase, digit, and symbol groups detected in the password.
`U`	Number of unique characters in the password.
`E`	Estimated entropy bits shown in password evidence.

A 20-character password using lowercase, uppercase, digits, and symbols has an alphabet estimate of 95, so the displayed estimate is about 20 * log2(95), or 131 bits. A 16-character password can exceed 95 estimated bits but still show Strong rather than High, because the high label also requires at least 18 characters.

Password readiness labels and thresholds
Label	Minimum Length	Minimum Estimate	Gate Meaning
Weak	< 10	< 45 bits	Not ready for protection.
Fair	≥ 10	≥ 45 bits	Still below the open-password target.
Strong	≥ 14	≥ 70 bits	Meets the readiness target for the open password.
High	≥ 18	≥ 95 bits	Indicates a longer passphrase or broader character mix.

Protection Path:

The source is sampled for PDF markers before encryption. The beginning of the file is checked for %PDF-, the tail sample is checked for %%EOF, and visible structure markers are counted for pages, objects, streams, encryption, signatures, forms, attachments, JavaScript, and metadata. Compressed or encrypted object streams can hide exact counts, so these signals are readiness clues rather than a complete parse.

When the gate passes, the PDF is encrypted with the selected AES target, permission profile, owner-password handling, and metadata choice. The resulting copy is then opened with the supplied open password and tested with a wrong password. That verification does not prove every recipient reader will enforce every permission flag, but it does prove the basic password gate on the generated file.

Limitations and Privacy Notes:

The selected PDF bytes and password values are used in the browser session for scanning, encryption, verification, and download. Password values are not written to CSV, DOCX, JSON, or row-copy exports; those reports include posture information such as length, estimated entropy, and whether the owner password is distinct.

The browser loads the qpdf runtime from a public CDN, so normal page and resource requests still occur.
The selected PDF itself is not uploaded by this workflow.
Very large PDFs can exceed browser memory even when the scan limit is raised.
Permission flags are not a substitute for redaction, legal controls, or managed document rights.

Worked Examples:

Board packet ready for distribution

A 42-page, 7.8 MB board packet is selected, Authorization confirmation is on, and the open password reaches High. With Print allowed, block copy/edit, a distinct owner password, AES-256 PDF standard security, and encrypted metadata, the expected path is Protection Gate passing, Protected output becoming ready, and Password verification reporting that the correct password opens while a wrong password fails.

Signed approval form stops at review

A signed approval PDF has a visible Signature markers signal after the local scan. Even with a strong open password and valid PDF header, Protect PDF should remain blocked because rewriting an encrypted copy can invalidate the signed byte range. The corrective path is to confirm the signing workflow or protect a clean unsigned copy before signing.

Already encrypted supplier file

A supplier form already asks for a password when opened. The scan reports Encryption dictionary as found, sometimes with visible version, revision, key length, or permission bits. Treat that as an existing protected PDF and use an authenticated owner-approved rewrite path rather than applying another protection pass.

Oversized source or fake PDF

A 132 MB source exceeds the default 80 MB Browser scan limit, so the file is marked Oversize until the limit is raised on a capable browser or the document is handled elsewhere. A renamed image fails differently: PDF header is missing, the source becomes invalid, and the fix is to choose a real PDF.

FAQ:

Does the tool create a protected PDF download?

Yes. After Protection Gate passes, Protect PDF writes an encrypted copy in the browser, verifies password behavior, and enables Download PDF.

Why are permission restrictions not enough by themselves?

The open password controls decryption. Permission flags tell conforming readers what to allow after opening, so printing, copying, and editing restrictions should be tested in the recipient's reader.

Why is the owner password separate from the open password?

A distinct Owner password separates full-access permission management from the password recipients use to open the PDF, which matters when restrictions are applied.

What does an existing encryption warning mean?

Encryption dictionary set to found means the sampled PDF already appears protected. Authenticate and rewrite that document with approved owner access instead of protecting it again blindly.

Why is Protect PDF disabled?

The action is disabled while scanning or encrypting, before a valid source is scanned, when the file exceeds the work limit, when authorization is off, when the open password is below Strong, when a required owner password is missing, or when existing encryption or signature markers block the run.

Are the passwords included in exports?

No. Exports and row copies include password posture, such as length, estimated entropy, and distinct-owner status, but not the actual open or owner password values.

Glossary:

Open password: The password required to decrypt and open the PDF for reading.
Owner password: The full-access password associated with permission management and security changes.
Permission flags: PDF settings that ask conforming readers to allow or block actions such as printing, copying, editing, annotation, forms, and assembly.
Encryption dictionary: The PDF structure that records security-handler settings such as encryption version, revision, key length, and permission value.
PDF header: The file-opening marker that identifies a document as a PDF and usually includes the PDF version.
Metadata: Document information such as title, author, and workflow details that may disclose information outside the page text.
Signature markers: Visible signs of a digital signature or timestamp whose signed byte range can be invalidated by rewriting the file.

References:

PDF Encryption, qpdf documentation.
Running qpdf, qpdf documentation.
Securing PDFs with passwords, Adobe Acrobat Help.
NIST SP 800-63B: Authentication and Authenticator Management, National Institute of Standards and Technology.