Deep dive · 10 min read
PDF Encryption Explained
A technical but practical overview of RC4, AES-128, AES-256, PDF permissions, and compatibility.
PDF encryption protects document content by applying a symmetric cipher to the file body. The encryption algorithm, key length, password handling, and permission model have evolved through several revisions of the PDF specification. Understanding these details helps you choose the right protection level and know what tools can reliably unlock.
Encryption protects confidentiality. Permission flags control viewer behavior. These are separate concepts and should not be confused.
RC4 encryption (legacy)
RC4 was the default PDF encryption algorithm from PDF 1.1 through PDF 1.5. It is a stream cipher — the keystream is XORed with plaintext to produce ciphertext.
40-bit RC4 (PDF 1.1–1.3): Considered cryptographically broken. Key space is too small for modern hardware. Avoid for any new document.
128-bit RC4 (PDF 1.4–1.5): Larger key, but RC4 itself has known biases and is deprecated by the broader cryptography community. Still encountered in older files from 2003–2010 era software.
PDF viewers and tools widely support RC4 for backward compatibility, but you should migrate protected archives to AES when possible.
AES-128 (PDF 1.6)
Adobe Acrobat 7 introduced AES-128 encryption (PDF 1.6). AES (Advanced Encryption Standard) is a block cipher standardized by NIST. It replaced RC4 as the recommended algorithm.
AES-128 uses a 128-bit key derived from the password using an MD5-based KDF. The initialization vector (IV) for each encrypted object is stored in the file. Bulk content streams and cross-reference streams are encrypted per-object.
AES-128 is still considered secure for most purposes, but modern systems default to AES-256.
AES-256 (PDF 1.7 and PDF 2.0)
AES-256 was introduced by Adobe as an extension to PDF 1.7 (Acrobat 9+) and is the default in PDF 2.0. It uses a 256-bit key and SHA-256-based key derivation with per-file random salt values.
Importantly, AES-256 encryption in PDFs stores separate keys for the user role and the owner role. Each is protected by its own KDF output. This is more robust than the RC4/AES-128 model where the owner key was derived from the user key.
All current major PDF applications — Acrobat, Preview, pdfium-based browsers, MuPDF — support AES-256.
PDF permission model
The PDF specification defines a 32-bit permission flags field stored in the encryption dictionary. Bit positions control printing resolution, content copying, editing, annotation, form filling, content extraction for accessibility, and document assembly.
Permission flags are enforced by the viewer. A compliant viewer (Acrobat, Preview) will honor them. Command-line tools and some third-party applications may ignore them entirely.
Because permissions are not enforced at the operating-system level, they should not be relied upon as a security boundary. Use them to communicate intent and reduce accidental misuse, not to prevent determined access.
Password quality and practical recommendations
The strength of PDF encryption depends entirely on password quality. AES-256 with a short or guessable password is weaker in practice than AES-128 with a strong 20-character passphrase.
Use a password manager to generate and store a random passphrase of at least 16 characters. Never reuse passwords between documents.
Use AES-256 for new documents whenever the software supports it. Test that the recipient's PDF viewer can open the file before sending.
For long-term archiving, store the password separately from the file — in a secure vault or a sealed physical record.
Tips
- PDF/A (archival format) prohibits encryption. If you need an archival copy, create an unencrypted PDF/A alongside a password-protected working copy.
- Metadata fields (author, title, subject) may remain unencrypted in some PDF encryption revisions. Sensitive metadata should be cleared before encrypting.
Ready to unlock your document?
PasswordRemover processes your file locally in the browser — no uploads, no account required.
Go to tools