Chapter 4
Encryption and Decryption

4.1 Introduction

PDF files can be encrypted using various types of encryption and attaching various permissions describing what someone can do with a particular document (for instance, printing it or extracting content). There are two types of person:

The User can do to the document what is allowed in the permissions.
The Owner can do anything, including altering the permissions or removing encryption entirely.

There are five kinds of encryption:

All encryption supports these kinds of permissions:

-no-edit   Cannot change the document
-no-print  Cannot print the document
-no-copy   Cannot select or copy text or graphics
-no-annot  Cannot add or change form fields or annotations

In addition, 128-bit encryption (Acrobat 5 and above) and AES encryption supports these:

-no-forms     Cannot edit form fields
-no-extract   Cannot extract text or graphics
-no-assemble  Cannot merge files etc.
-no-hq-print  Cannot print high-quality

Add these flags to the command line to prevent each operation.

4.2 Encrypting a Document

To encrypt a document, the owner and user passwords must be given (here, fred and charles respectively):

A blank user password is common. In this event, PDF viewers will typically not prompt for a password for when opening the file or for operations allowable with the user password.

In addition, the usual method can be used to give the existing owner password, if the document is already encrypted.

When using AES encryption, the option is available to refrain from encrypting the metadata. Add -no-encrypt-metadata to the command line.

4.3 Decrypting a Document

To decrypt a document, the owner password is provided.

The user password cannot decrypt a file.