Chapter 4
Encryption and Decryption

4.1 Introduction

PDF files can be encrypted using various types of encryption and attaching various permissions describing what someone can do with a particular document (for instance, printing it or extracting content). There are two types of person:

The User can do to the document what is allowed in the permissions.

The Owner can do anything, including altering the permissions or removing encryption entirely.

There are five kinds of encryption:

• 40-bit encryption (method 40bit) in Acrobat 3 (PDF 1.1) and above
• 128-bit encryption (method 128bit) in Acrobat 5 (PDF 1.4) and above
• 128-bit AES encryption (method AES) in Acrobat 7 (PDF 1.6) and above
• 256-bit AES encryption (method AES256) in Acrobat 9 (PDF 1.7) – this is deprecated – do not use for new documents
• 256-bit AES encryption (method AES256ISO) in PDF 2.0

All encryption supports these kinds of permissions:

In addition, 128-bit encryption (Acrobat 5 and above) and AES encryption supports these:

Add these flags to the command line to prevent each operation.

4.2 Encrypting a Document

To encrypt a document, the owner and user passwords must be given (here, fred and charles respectively):

A blank user password is common. In this event, PDF viewers will typically not prompt for a password for when opening the file or for operations allowable with the user password.

In addition, the usual method can be used to give the existing owner password, if the document is already encrypted.

When using AES encryption, the option is available to refrain from encrypting the metadata. Add -no-encrypt-metadata to the command line.

4.3 Decrypting a Document

To decrypt a document, the owner password is provided.

The user password cannot decrypt a file.