How to password-protect a sensitive pdf document
- Step 1Open the Password Protect tool and drop the sensitive PDF — Load the file into the PDF Password Protect tool. It accepts one PDF at a time. Free-tier limits are 2 MB and 50 pages; Pro raises that to 50 MB and 500 pages.
- Step 2Scrub identifying metadata first (optional but recommended) — An open password protects the content but the PDF's metadata (author, producer, creation date) is part of the encryption only after you encrypt — and is still recoverable to anyone with the password. If the author name itself is sensitive, run the file through the metadata scrubber before encrypting.
- Step 3Type the open password into the single password field — The tool shows one field labelled
Set password. Whatever you type becomes both the user (open) password and the owner password — the tool does not expose a separate owner field, so there is only one secret to manage. Use 12+ characters with mixed case, digits, and symbols. - Step 4Run the encryption — Processing starts as soon as a password is present. qpdf re-writes the document with AES-256. A blank password is rejected with
Enter a password.— there is no accidental no-op. - Step 5Download and confirm the prompt appears — Download the encrypted PDF and open it once in your own viewer to confirm it asks for the password before rendering. This is your proof the encryption landed.
- Step 6Send the file and the password through different channels — Email or upload the protected PDF, then send the password by SMS, a phone call, or a separate secure-message app — never in the same email. If the channel that carries the PDF is compromised, the password is still safe.
What this tool sets — and what it deliberately does not
The browser path uses qpdf-wasm with the arguments shown. The tool encrypts; it does not restrict in-document actions.
| Capability | This tool (pdf-password-protect) | Where it actually lives |
|---|---|---|
| Open password (file won't open without it) | Yes — --encrypt <pw> <pw> 256 | This tool |
| Encryption algorithm | AES-256 (qpdf 256 key length) | This tool, browser path |
| Separate owner password | No visible field — owner password is set equal to the open password | pdf-permission-setter has a dedicated owner field |
| Block printing | No — output allows --print=full | pdf-permission-setter (Block printing) |
| Block copying / text selection | No — output allows --extract=y | pdf-permission-setter (Block copying) |
| Remove a password later | No — encrypt only | pdf-remove-password |
File-size and page limits by tier
PDF-family limits from the central tier table. A file over the limit is blocked before processing.
| Tier | Max file size | Max pages | Files at once |
|---|---|---|---|
| Free | 2 MB | 50 pages | 1 |
| Pro | 50 MB | 500 pages | 5 (batch) |
Password strength vs. AES-256
AES-256 is unbreakable in practice; the password you choose is the real attack surface. Guidance, not a tool feature.
| Password style | Risk | Verdict for sensitive data |
|---|---|---|
Summer2026 / a dictionary word + year | First thing an offline cracker tries | Do not use |
| Name + DOB of the subject | Guessable by anyone who has the document | Do not use |
| 12–16 random chars from a password manager | Infeasible to brute-force against AES-256 | Recommended |
| A 5+ word random passphrase | High entropy, easy to dictate by phone | Recommended for out-of-band sharing |
Cookbook
Concrete sensitive-document scenarios and exactly what the tool does — and doesn't — do for each.
Encrypting a salary letter before emailing payroll
An HR coordinator needs to send one employee their salary-review letter. Drop the PDF, type a strong password, download, send. The recipient is prompted for the password in any reader.
Input: salary-review-2026-jdoe.pdf (1 page, 240 KB) Field: Set password = "v9$Kpr2!mQ7w" qpdf (browser) runs: --encrypt v9$Kpr2!mQ7w v9$Kpr2!mQ7w 256 --print=full --extract=y --modify=all Output: salary-review-2026-jdoe.pdf (encrypted) Opening it in Acrobat/Preview now shows: "This document is password protected. Enter the document open password."
Scrub metadata, then encrypt a medical record
A medical PDF exported from a clinical system carries the clinician's name and the EHR software in its metadata. Strip that first, then encrypt — so even an authorised opener can't read the producer trail.
Step 1 — pdf-metadata-scrubber: Author "Dr A. Patel" -> (cleared) Producer "Epic PDF 11.2" -> (cleared) CreationDate 2026-03-14 -> 1970-01-01 Step 2 — pdf-password-protect: Set password = "correct-horse-battery-staple-7" Result: encrypted PDF, no identifying metadata, open-password gated.
Empty password is rejected, not silently skipped
If you click run with the field blank, the tool refuses rather than handing back an unprotected file that looks protected. This prevents the worst failure mode for sensitive data.
Field: Set password = "" (left blank)
Result: Error — "Enter a password."
No file is produced. The original is untouched.Confirming the file is genuinely encrypted
Don't trust, verify. After download, the quickest proof is opening it yourself; for a deeper check, qpdf-style tooling reports the encryption dictionary.
Open the downloaded PDF in Apple Preview: -> a password sheet appears before the first page renders. qpdf --show-encryption confidential.pdf (desktop qpdf) reports: R = 6 P = ... User password length: 12 bytes recovered: no extract for accessibility: allowed Stream data: encrypted Algorithm: AESV3 (256-bit)
What encryption does NOT stop — printing the open file
Once the recipient enters the password and the file is open, they can print, copy text, and re-save it. The tool allows all in-document actions by design. If you need to stop that, this is the wrong tool.
Recipient opens encrypted.pdf with the password. File -> Print -> allowed (--print=full) Select all -> Copy -> allowed (--extract=y) Edit + Save As -> allowed (--modify=all) To block these, use pdf-permission-setter instead, which sets an owner password and toggles printing/copying off.
Edge cases and what actually happens
You expected printing/copying to be blocked
By designThis tool encrypts the file with an open password and allows all in-document actions (--print=full --extract=y --modify=all). It is an open-gate, not a permission lock. To stop a recipient from printing or copying after they open the file, use the PDF Permission Setter, which adds an owner password and Block-printing / Block-copying toggles.
There is no separate owner-password field
ExpectedThe Password Protect UI shows one field, Set password. Whatever you type is used as both the user (open) password and the owner password. That keeps it simple — one secret — but it also means you cannot set a different owner password here. If you need distinct user and owner passwords, that's a permission-setter workflow.
You left the password field blank and clicked run
ErrorThe processor throws Enter a password. and produces no file. This is deliberate: it prevents you from believing a file is protected when it is not. Type a non-empty password and run again.
The PDF is larger than your tier's limit
BlockedFree tier caps PDFs at 2 MB and 50 pages; the file is blocked before any processing. Scanned medical or HR PDFs can easily exceed 2 MB — compress first with the lossy compressor, or upgrade to Pro (50 MB / 500 pages).
The PDF is already encrypted
Errorqpdf cannot re-encrypt a file it can't read. If the source PDF already has a password, encrypting again exits with a processing error (qpdf exit code 2: "could not process this PDF — it may be corrupted or use an unsupported encryption"). Decrypt it first with the remove-password tool, then re-encrypt with the new password.
The file is corrupted or structurally broken
ErrorIf qpdf can't parse the document it returns exit code 2 and the tool surfaces "qpdf could not process this PDF." Repair the structure first with the PDF repair tool, then encrypt the repaired copy.
qpdf reports a warning but still returns a file
Preservedqpdf exit code 3 means warnings only — the encrypted output is still valid and is returned. Minor structural quirks in the source can trigger this without affecting the encryption. Open the result to confirm the password prompt appears.
You forget the password after encrypting
UnrecoverableThere is no backdoor. AES-256 with a strong password is computationally infeasible to crack, and nothing about the password is stored anywhere (it never left your browser). If you lose it, the only recovery is the original unencrypted file. Always keep a copy of the source PDF in a secure location until the recipient confirms access.
Recipient tries to open it in an email preview pane
ExpectedGmail and Outlook inline previews do not handle password-protected PDFs. The recipient must download the attachment and open it in a real PDF reader, where they'll be prompted for the password. This is normal behaviour for any encrypted PDF, not a fault of the file.
Frequently asked questions
What encryption does this actually use?
Real AES-256. In the browser the tool runs a self-hosted qpdf WebAssembly build and invokes --encrypt <password> <password> 256, which is AESV3 256-bit encryption — the strongest standard PDF scheme. (An older tool note mentioned RC4 128-bit; the live browser path uses AES-256.) The unencrypted file and your password are processed locally and never sent anywhere.
Does this stop people from printing or copying the document?
No. This tool only sets an open password — once someone enters it, they can print, copy, and edit. The encryption is applied with full permissions allowed. To block printing or copying, use the PDF Permission Setter, which sets an owner password and lets you turn those actions off.
Can I set a different owner password from the open password?
Not in this tool. The Password Protect UI has a single field, and whatever you type becomes both the user and owner password. If you need a distinct owner password (for example to allow opening but block editing), use the PDF Permission Setter.
Is my password sent to a server?
No. Encryption happens entirely in your browser via qpdf-wasm. Your password never touches a server, and neither does the unencrypted document. Nothing about the file is uploaded.
Will the recipient be able to open it in Adobe Reader / Preview / on a phone?
Yes. The output is a standard encrypted PDF. Adobe Acrobat and Reader, Apple Preview, Chrome's built-in viewer, the iOS Files app, and Android PDF readers all support AES-256 password-protected PDFs and will prompt for the password before showing any content.
How big a file can I encrypt?
On the free tier, up to 2 MB and 50 pages. Pro raises that to 50 MB and 500 pages. Scanned documents often exceed 2 MB — run them through the lossy compressor first, or upgrade.
What if the PDF already has a password?
qpdf can't read an encrypted file to re-encrypt it, so the tool errors out. Remove the existing password first with the Remove Password tool (you'll need the current password), then encrypt with the new one.
I forgot the password — can you recover it?
No, and neither can anyone else. The password never left your device, nothing is stored, and AES-256 is not brute-forceable with a strong password. Keep the original unencrypted file safe until access is confirmed; that's the only recovery path.
How strong should the password be?
The encryption is AES-256, so the password is the only real weak point. Use 12+ random characters or a 5-word passphrase from a password manager. Avoid dictionary words, the subject's name or date of birth, and anything someone holding the document could guess.
Should I send the password in the same email as the PDF?
Never. Send the encrypted PDF one way (email, file share) and the password another (SMS, phone call, a separate secure-message app). If the channel carrying the file is intercepted, the password stays safe.
Can I remove the password later for archiving?
Yes — use the Remove Password tool, enter the password, and download a clean unencrypted copy. qpdf accepts either the user or owner password for decryption, which here are the same value.
Does encrypting change the document's appearance or contents?
No. qpdf re-writes the file structure with an encryption layer; the pages, text, and images are identical. The only difference is that opening the file now requires the password.
Privacy first
All PDF processing runs locally in your browser using PDF-lib and pdf.js. No file is ever uploaded — only metadata counters are saved for signed-in dashboard stats.