PDF Protector

Disabled {{ sourceBadge }} {{ passwordBadge }} Encrypt engine needed {{ encryptionTargetLabel }}

Source PDF:

Drop or browse one PDF. This disabled build does not upload, encrypt, or download a protected copy.

Open password:

Use a long unique passphrase; the report records only length and strength, not the password value.

Owner password:

Recommended when restrictions are planned; leave blank only when the production engine will generate/store it safely.

Permission profile:

Choose the intended reader behavior for printing, copying, and editing after the open password is accepted.

Encryption target:

Select the future engine target. This browser-side draft cannot rewrite PDF encryption dictionaries.

Encrypt metadata:

Controls the planned handoff only; no PDF bytes are rewritten in this disabled build.

Authorization confirmation:

Required before any production encryption worker should run.

Target filename:

Leave blank to derive a future output name from the selected PDF.

Browser scan limit:

Raise only on a capable desktop browser. Production encryption should run in a bounded worker.

Gate	Status	Evidence	Next action	Copy
{{ row.gate }}	{{ row.status }}	{{ row.evidence }}	{{ row.action }}

Signal	Value	Detail	Copy
{{ row.signal }}	{{ row.value }}	{{ row.detail }}

Setting	Value	Handoff	Copy
{{ row.setting }}	{{ row.value }}	{{ row.handoff }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

PDF password protection controls who can open a document and what a conforming reader should allow after it opens. It matters when a contract, invoice packet, board paper, or client report needs controlled viewing before it is sent, archived, or handed to a limited group.

A good protection plan checks the source file, the open password, the owner password, permission intent, and the final writer that will rebuild the PDF. The password that opens the document is the access gate. Permission flags for printing, copying, editing, and annotation are separate signals that PDF readers are expected to honor after the file is decrypted.

PDF protection preflight from owner-approved file to local scan and password plan

Password protection is not the same as redaction, digital signing, or secure document storage. A protected PDF can still reveal its file name, routing history, or visible content to anyone who has the right password, and permission limits can be ignored by software that does not follow PDF reader rules. Sensitive content should be removed or redacted before protection is applied.

Existing protection and digital signatures need extra care. A PDF that already has an encryption dictionary should be authenticated and rewritten by a PDF-aware engine, not wrapped in a second blind process. A signed PDF may lose signature validity when bytes are rewritten, even when the visible pages appear unchanged.

Technical Details:

The standard PDF security handler uses an encryption dictionary to describe how document strings and streams are encrypted. The dictionary can include handler version, revision, key length, permission bits, and password-derived values. An open password, often called the user password, controls access to the encrypted content. An owner password grants full control and sets the permissions that conforming readers should apply for users who open the document without owner access.

Permission flags are not a separate lock around the page contents. After a reader has the decryption key, restrictions such as copy, print, annotation, and edit limits depend on the reader respecting the PDF permission bits. That is why a strong open password and careful password handling matter more than relying on permission flags alone.

Preflight signals

The local scan looks for structural markers that affect whether a later protection pass is sensible. These checks do not rewrite the PDF and do not prove that every compressed or encrypted object was inspected, but they catch common handoff problems before a production writer runs.

PDF protection preflight signals
Signal	What it means	Decision use
`%PDF-` header	Identifies the selected file as a PDF and captures the visible version number.	A missing header blocks trust in the source file.
`%%EOF` marker	Provides a basic tail check that the sampled file looks complete.	A missing marker should trigger a source-file check before protection work continues.
`/Encrypt` dictionary	Shows that PDF security is already present in the sampled structure.	Existing protection should be authenticated and rewritten, not double-protected blindly.
`/V`, `/R`, `/Length`, `/P`	Report the encryption algorithm family, security-handler revision, key length, and permission bits when visible.	These values help decide whether the file is already using older or modern protection semantics.
Signature and timestamp markers	Flag signed byte ranges or document timestamp signals.	A production rewrite can invalidate signatures, so signed files need a policy decision first.
Forms, attachments, JavaScript, and metadata	Highlight interactive or descriptive content that may affect review and disclosure risk.	Review these signals before changing document security or hiding metadata.

Password posture

The page estimates password strength from length and character variety, then records only posture data. The password text itself is not placed in the result payloads. The thresholds are a screening aid, not a password manager or a guarantee against guessing.

Password posture thresholds
Label	Minimum length	Estimated entropy	Meaning
Needed	0	0 bits	No open password has been entered.
Weak	< 10 or mixed pool too small	< 45 bits	Too short or too predictable for production protection.
Fair	>= 10	>= 45 bits	Better than a short password, but still below the preferred handoff target.
Strong	>= 14	>= 70 bits	Meets the page's main readiness target for the open password.
High	>= 18	>= 95 bits	Indicates a longer passphrase or broad character mix.

Permission and encryption choices

The permission profile describes intended reader behavior after the file opens. AES-256 is the default target for a new protected file, while AES-128 is kept as a compatibility target. Metadata encryption should usually stay on because titles, authors, and document workflow details can otherwise remain visible to receiving systems.

Permission profile behavior
Profile	Reader behavior planned	Owner password guidance
Print allowed, block copy/edit	Printing remains available; copying, annotation, assembly, and editing are blocked in conforming readers.	Use a distinct owner password.
View only	Printing, copying, annotation, assembly, and editing are blocked in conforming readers.	Use a distinct owner password.
Print/copy allowed, block edit	Printing and extraction remain available; document editing is blocked in conforming readers.	Use a distinct owner password when edit restrictions matter.
Open password only	A password is required to open the PDF, but reader permissions remain broadly available after opening.	Owner handling can be generated by the production engine if policy allows.

Everyday Use & Decision Guide:

Use the current page as a protection preflight, not as the final encryptor. Start with a PDF you own, administer, or have explicit permission to handle, then turn on Authorization confirmation. If that switch is off, the Protection Gate keeps the handoff blocked.

Enter the Open password first and aim for a Strong or High label. Add a distinct Owner password when the selected Permission profile blocks copying, editing, printing, or annotation. Reusing the open password as the owner password weakens the separation between access control and permission management.

Choose AES-256 PDF standard security unless a receiving system requires AES-128 compatibility mode.
Leave Encrypt metadata on unless visible title, author, or workflow metadata is required downstream.
Use Browser scan limit only to control local preflight size; the real encryption pass still needs a bounded PDF worker.
Stop on Already encrypted, Invalid source, or Oversize until the source file or production path is reviewed.

A Protection Handoff Ready summary still carries the Encrypt engine blocker. It means the inputs and evidence are ready to hand to a qpdf-compatible writer, not that an encrypted output file has been created.

Step-by-Step Guide:

Follow the path that matches a new owner-approved protection request.

Use Browse PDF or the drop area to select one source file. The summary should change from Choose a PDF to the selected file name, size, and any visible PDF header after analysis.
Turn on Authorization confirmation. The Authorization row should move from Blocked to Confirmed.
Enter a long unique Open password. If the label reads Weak or Fair, replace it before treating the plan as production-ready.
Enter a distinct Owner password when the profile is not Open password only. The Owner password row should say it is distinct from the open password.
Choose Permission profile, Encryption target, and Encrypt metadata. Use Target filename only as a future output name in the handoff plan.
Select Analyze PDF. If the action is unavailable, choose a source file, wait for the scan to finish, or resolve a file size above the configured Browser scan limit.
Review Protection Gate, File Evidence, and Encryption Plan. If the error says the file does not start with a PDF header, replace the source before continuing.

The usable handoff is a plan whose source, authorization, password posture, existing-encryption check, metadata choice, and engine blocker are all understood before a PDF writer is introduced.

Interpreting Results:

The most important result is the Protection Gate. Authorization, PDF source, Browser work limit, Open password, Owner password, and Existing encryption should be resolved before any production worker runs. Encrypt engine remains Blocked in this disabled build by design.

No encryption marker means the sampled structure did not show /Encrypt; it is not a full cryptographic audit of every compressed object. Already encrypted means the file needs an authenticated rewrite path rather than another blind protection plan. Signature markers or Interactive content should slow the handoff because forms, attachments, JavaScript, and signed byte ranges can change the risk of rewriting the PDF.

A Strong password label does not prove the password is safe to share, store, or reuse. Verify that password values stay out of exported evidence, ticket text, screenshots, command history, and chat, then test the final PDF later by opening it with the correct password and rejecting a wrong one.

Worked Examples:

Board packet handoff

A 42-page board packet under 10 MB is selected, authorization is confirmed, the open password reaches Strong, and the owner password is distinct. Protection Gate should show Confirmed, Ready, Pass, Strong, and Pass for the source checks, while Encrypt engine still reads Blocked. The next action is to pass the plan to a PDF writer that can create and verify the protected file.

Already protected supplier form

A supplier sends a PDF that opens only after a password is entered. After scanning, File Evidence reports Encryption dictionary as Found, and the detail may include values such as V 5, R 6, 256-bit key, or P permission bits. The right interpretation is Already encrypted, so the file needs owner-approved authentication and rewrite verification instead of double-protection.

Size or format troubleshooting

A 132 MB scan with the default 80 MB Browser scan limit leaves Browser work limit at Oversize and prevents analysis until the limit is raised on a capable browser or a production worker handles the file. A renamed image file fails differently: the error says the selected file does not start with a PDF header, PDF source becomes Invalid, and the corrective path is to choose a real PDF.

Responsible Use Note:

Protect only documents you own, administer, or have explicit permission to handle. Password protection should not be used to hide unauthorized access, bypass document policy, or replace redaction. Remove confidential content that should not be seen by recipients before the PDF is protected.

Store open and owner passwords through an approved secret-sharing process. The page deliberately records password posture rather than password values, but a user can still leak a password through notes, screenshots, command history, or a copied support message.

FAQ:

Does this create a protected PDF?

No. The current build plans and validates the handoff only. The Encrypt engine row stays Blocked until a PDF-aware writer can create, reopen, reject wrong passwords, and verify permission flags.

Does my PDF leave the browser?

The selected file is read in the browser for this disabled preflight. The page reports structure markers and password posture; it does not upload, encrypt, or download a protected copy.

Why do I need an owner password?

The owner password controls permission changes and full-access handling. Use a distinct owner password when Permission profile blocks print, copy, annotation, assembly, or editing behavior.

What does an encryption dictionary warning mean?

Encryption dictionary set to Found means the sampled PDF already contains an /Encrypt marker. Authenticate and rewrite that file with an approved engine instead of treating it as a fresh unprotected source.

Why is Analyze PDF unavailable?

Analyze PDF is unavailable while the page is busy, before a source file is selected, or when the selected file is larger than Browser scan limit. Choose a PDF, wait for scanning to finish, or adjust the limit within the 10 MB to 200 MB range.

Glossary:

Open password: The password a reader must provide to open the encrypted PDF content.
Owner password: The password associated with full access and permission management in the standard PDF security model.
Encryption dictionary: The PDF structure that records security-handler parameters such as version, revision, key length, and permission bits.
Permission bits: Flags that describe whether conforming readers should allow printing, copying, editing, annotation, and related actions.
Conforming reader: PDF software that follows the standard's expectations for access permissions after a document is decrypted.
Metadata: Document information such as title, author, and workflow details that may remain visible unless encryption handles it.

References:

ISO 32000-1:2008 Document management - Portable document format - Part 1: PDF 1.7, International Organization for Standardization, 2008.
PDF Encryption, qpdf documentation.
Add passwords to PDFs, Adobe Acrobat Help, December 15, 2025.
Encryption, PDFlib GmbH.