Chapter 4
Encryption and Decryption

cpdf -encrypt <method> [-pw=]<owner> [-pw=]<user>
     [-no-encrypt-metadata] <permissions> in.pdf -o out.pdf

cpdf -decrypt [-decrypt-force] in.pdf owner=<owner password> -o out.pdf

4.1 Introduction

PDF files can be encrypted using various types of encryption and attaching various permissions describing what someone can do with a particular document (for instance, printing it or extracting content). There are two types of person:

The User can do to the document what is allowed in the permissions.

The Owner can do anything, including altering the permissions or removing encryption entirely.

There are five kinds of encryption:

All encryption supports these kinds of permissions:

-no-edit    C annotchangethe document
-no-print   C annotprin tthe docum ent
-no-copy    C annotselectorcopy text orgraphics
-no-annot   C annotadd orchangeform fieldsorann otations

In addition, 128-bit encryption (Acrobat 5 and above) and AES encryption supports these:

-no-forms       Cannoteditform fields
-no-extract     Cannotextract textorgraphics
-no-assemble    Cannotm ergefilesetc.
-no-hq -print   Cannotp rinthigh-quality

Add these options to the command line to prevent each operation.

Note: Adobe Acrobat and Adobe Reader may show slightly different permissions in info dialogues – this is a result of policy changes and not a bug in cpdf. You may need to experiment.

4.2 Encrypting a Document

To encrypt a document, the owner and user passwords must be given (here, fred and charles respectively):

cpdf -encrypt 40bit fred charles -no-print in.pdf -o out.pdf

cpdf -encrypt 128bit fred charles -no-extract in.pdf -o out.pdf

cpdf -encrypt AES fred "" -no-edit -no-copy in.pdf -o out.pdf

A blank user password is common. In this event, PDF viewers will typically not prompt for a password for when opening the file or for operations allowable with the user password.

cpdf -encrypt AES256ISO fred "" -no-forms in.pdf -o out.pdf

In addition, the usual method can be used to give the existing owner password, if the document is already encrypted.

The optional -pw= preface may be given where a password might begin with a - and thus be confused with a command line option.

When using AES encryption, the option is available to refrain from encrypting the metadata. Add -no-encrypt-metadata to the command line.

4.3 Decrypting a Document

To decrypt a document, the owner password is provided.

cpdf -decrypt in.pdf owner=fred -o out.pdf

The user password cannot decrypt a file.

When appropriate passwords are not available, the option -decrypt-force may be added to the command line to process the file regardless.