4 Encryption and Decryption

Chapter 4
Encryption and Decryption

cpdf -encrypt <method> [-pw=]<owner> [-pw=]<user>
[-no-encrypt-metadata] <permissions> in.pdf -o out.pdf

cpdf -decrypt [-decrypt-force] in.pdf owner=<owner password> -o out.pdf

4.1 Introduction

PDF files can be encrypted using various types of encryption and attaching various permissions describing what someone can do with a particular document (for instance, printing it or extracting content). There are two types of person:

: The User can do to the document what is allowed in the permissions.
: The Owner can do anything, including altering the permissions or removing encryption entirely.

There are five kinds of encryption:

40-bit encryption (method 40bit) in Acrobat 3 (PDF 1.1) and above
128-bit encryption (method 128bit) in Acrobat 5 (PDF 1.4) and above
128-bit AES encryption (method AES) in Acrobat 7 (PDF 1.6) and above
256-bit AES encryption (method AES256) in Acrobat 9 (PDF 1.7) – this is deprecated – do not use for new documents
256-bit AES encryption (method AES256ISO) in PDF 2.0

All encryption supports these kinds of permissions:

-no-edit C annotchangethe document
-no-print C annotprin tthe docum ent
-no-copy C annotselectorcopy text orgraphics
-no-annot C annotadd orchangeform fieldsorann otations

In addition, 128-bit encryption (Acrobat 5 and above) and AES encryption supports these:

-no-forms Cannoteditform fields
-no-extract Cannotextract textorgraphics
-no-assemble Cannotm ergefilesetc.
-no-hq -print Cannotp rinthigh-quality

Add these options to the command line to prevent each operation.

Note: Adobe Acrobat and Adobe Reader may show slightly different permissions in info dialogues – this is a result of policy changes and not a bug in cpdf. You may need to experiment.

4.2 Encrypting a Document

To encrypt a document, the owner and user passwords must be given (here, fred and charles respectively):

cpdf -encrypt 40bit fred charles -no-print in.pdf -o out.pdf

cpdf -encrypt 128bit fred charles -no-extract in.pdf -o out.pdf

cpdf -encrypt AES fred "" -no-edit -no-copy in.pdf -o out.pdf

A blank user password is common. In this event, PDF viewers will typically not prompt for a password for when opening the file or for operations allowable with the user password.

cpdf -encrypt AES256ISO fred "" -no-forms in.pdf -o out.pdf

In addition, the usual method can be used to give the existing owner password, if the document is already encrypted.

The optional -pw= preface may be given where a password might begin with a - and thus be confused with a command line option.

When using AES encryption, the option is available to refrain from encrypting the metadata. Add -no-encrypt-metadata to the command line.

4.3 Decrypting a Document

To decrypt a document, the owner password is provided.

cpdf -decrypt in.pdf owner=fred -o out.pdf

The user password cannot decrypt a file.

When appropriate passwords are not available, the option -decrypt-force may be added to the command line to process the file regardless.

[next] [prev] [prev-tail] [front] [up]

Chapter 4Encryption and Decryption

4.1 Introduction

4.2 Encrypting a Document

4.3 Decrypting a Document

Chapter 4
Encryption and Decryption