PDF Encryption

Two types of PDF passwords

• User password (open password)— required to open and view the PDF. Without it, you can't see any content.
• Owner password (permissions password) — allows opening but restricts specific actions like printing, copying text, or editing. The document is viewable without the password, but restrictions are enforced.

You can set one, the other, or both. For sensitive documents, always use a user password. For controlled distribution (read-only reports), an owner password is enough.

Encryption algorithms

PDF has evolved through several encryption standards:

• RC4 40-bit (PDF 1.1) — broken since the early 2000s, trivially crackable. Don't use.
• RC4 128-bit (PDF 1.4) — weak, vulnerable to modern attacks. Avoid.
• AES-128 (PDF 1.6) — strong for most purposes, widely supported.
• AES-256 (PDF 1.7+) — current best practice, resistant to brute-force attacks.

Always use AES-256 when available. Konomic's Protect PDF tool uses AES-256 by default.

What encryption protects

• ✅ Document content (text, images, embedded files)
• ✅ Form field contents
• ✅ Annotations (with AES-256)
• ✅ Metadata (with AES-256)

What encryption does NOT protect

• ❌ File name and file size (still visible)
• ❌ Screenshot attacks (user can photograph the screen)
• ❌ Legitimate users who already have the password
• ❌ Social engineering (someone tricking the holder)

For sharing sensitive documents, encryption is one layer — combine it with other measures like expiration dates, access logs, and viewer restrictions.

Password strength matters most

AES-256 is mathematically unbreakable with current computing. But the encryption is only as strong as the password:

• Weak (seconds to crack) — "password", "123456", dictionary words
• Medium (hours to days) — 8 characters with mixed case and digits
• Strong (years to millennia) — 16+ characters with symbols and no dictionary words

Use a password manager to generate and store strong PDF passwords. Never reuse a password across multiple documents.