How to apply drm-style permission controls to a pdf
- Step 1Decide which controls you actually need — This tool covers print and copy. For 'cannot be opened without permission' use an open password (PDF Password Protect); for 'cannot be edited' flatten the file (PDF Flatten); for expiry / revocation you need true enterprise DRM.
- Step 2Open the Permission Setter and drop the document — Load your PDF into the PDF Permission Setter. Free tier handles up to 2 MB / 50 pages; the file stays local.
- Step 3Set the owner password (your rights key) — Enter a strong owner password. This is the master key for the permission set — without it nobody can change the flags in a conformant editor.
- Step 4Choose the print/copy policy — Tick Block printing and/or Block copying to build the access profile. These map to
--print=noneand--extract=n. Modification is left enabled regardless. - Step 5Run the AES-256 re-encryption — qpdf seals the permission dictionary into the encrypted file. A clean run returns exit code 0; warnings return code 3 and still produce a valid file.
- Step 6Distribute, optionally with a watermark — Add a watermark before locking if you want a visible ownership/confidentiality marker on every page, then send the rights-controlled PDF.
DRM-lite vs. enterprise DRM
What this tool's PDF permission layer covers, and where you need a server-based DRM platform instead.
| Capability | This tool (PDF permissions) | Enterprise DRM (Adobe / Purview) |
|---|---|---|
| Block printing | Yes — --print=none | Yes |
| Block copy / extract | Yes — --extract=n | Yes |
| Block editing | No — modify left --modify=all | Yes |
| Open (view) password | No (use PDF Password Protect) | Per-user authentication |
| Document expiry / time limit | No | Yes |
| Remote revoke after sending | No | Yes |
| View / open tracking | No | Yes |
| Server / subscription required | No — runs in your browser | Yes |
Build your access profile from real controls
Combine the two checkboxes with sibling tools to assemble a practical rights policy.
| Policy you want | How to achieve it |
|---|---|
| View-only, no print, no copy | This tool: Block printing ON + Block copying ON |
| No copy but printable | This tool: Block copying ON, Block printing OFF |
| Only authorised people can open | PDF Password Protect (open password) |
| Not editable / fields locked | PDF Flatten then this tool |
| Visible ownership marker | PDF Watermark before locking |
| Strip identifying metadata | PDF Metadata Scrubber |
Cookbook
Assembling a per-document rights policy from the controls that actually exist.
View-only distribution profile
A market-research report sold to subscribers — readable on screen, but not printable or copyable.
Owner password: research-drm-01 Block printing: ON → --print=none Block copying: ON → --extract=n Profile: open freely, read on screen, no print, no copy Gap: no expiry, no revoke — viewer-enforced only
Paid eBook: open password + no copy
An eBook where only paying customers should open it AND text shouldn't be lifted. This needs two tools — the open password isn't part of the Permission Setter.
Step 1 PDF Password Protect → open password "buyer-key" Step 2 PDF Permission Setter → owner pw + Block copying ON Result: prompt to open + AES-256 + no text extraction
The exact qpdf invocation behind a DRM-lite run
Both restrictions ticked. Note modify stays at all and the open password is empty.
qpdf --encrypt "" "research-drm-01" 256 \
--print=none --extract=n --modify=all \
-- report.pdf report-drm.pdfBranded confidential profile
An internal strategy doc: visibly marked CONFIDENTIAL, no print, no copy, and identifying metadata removed.
Step 1 PDF Metadata Scrubber → strip author/producer Step 2 PDF Watermark → "CONFIDENTIAL" Step 3 PDF Permission Setter → owner pw, Block print + copy ON Result: layered DRM-lite without a server
Why you can't set an expiry here
Time-limited access requires a server to check the clock and refuse the key. PDF permissions are static and travel inside the file, so there's nothing to expire.
Want: 'this PDF stops working after 30 days' Reality: PDF permission flags have no time component Use: enterprise DRM (Adobe Experience Manager, Microsoft Purview)
Edge cases and what actually happens
Expecting server-DRM features (expiry, revoke, tracking)
out of scopePDF permission flags travel inside the file with no server check-in, so there is no expiry, no after-the-fact revocation, and no open tracking. Those require a DRM platform such as Adobe Experience Manager Forms or Microsoft Purview Information Protection. This tool is the lightweight, server-free tier.
No edit/modify control
by designThe tool exposes only Block printing and Block copying; modification is always --modify=all. A DRM-lite profile here cannot block editing. Flatten with PDF Flatten to remove editable structure if that matters.
No open password from this tool
by designThe user/open password is always empty here — anyone can open the file. If your rights policy requires authentication to open, layer PDF Password Protect on top to set an open password.
Reader uses a non-conformant viewer
by design (PDF limitation)Print/copy flags are honoured by conformant viewers; specialist tools can ignore them. AES-256 stops the flags being flipped without the owner password but cannot compel non-conformant software to obey. This is the inherent ceiling of file-embedded permissions.
Owner password left empty
errorThe owner password is required — it is the rights key. Running with it blank raises 'Enter an owner password.' before any encryption occurs.
Document already encrypted
limitedqpdf cannot re-encrypt a file it can't open. Remove the existing protection with PDF Unlock first, then apply the DRM-lite profile.
Corrupted or unsupported encryption
qpdf errorqpdf exits code 2: 'qpdf could not process this PDF — it may be corrupted or use an unsupported encryption.' Repair via PDF Repair and retry.
File over the tier limit
blockedFree tier caps at 2 MB / 50 pages, Pro at 50 MB / 500 pages, Pro + Media at 500 MB / 2,000 pages. Larger files are blocked with an upgrade prompt.
Frequently asked questions
Is this real DRM?
It's lightweight, server-free DRM built on the PDF format's own permission layer. It cryptographically seals print and copy restrictions (AES-256) that conformant viewers enforce, and only the owner password can lift them. It is not enterprise DRM: there is no expiry, no remote revocation, no per-user licensing, and no view tracking. For those, you need a platform like Adobe Experience Manager Forms or Microsoft Purview.
Which rights can I actually control with this tool?
Two: printing (Block printing → --print=none) and copying/text extraction (Block copying → --extract=n), sealed behind an owner password with AES-256. It does not expose an editing toggle (modify stays --modify=all) and does not set an open password. Combine sibling tools for those — see the access-profile table above.
Can I set an expiry date so the PDF stops working?
No. PDF permission flags have no time component — they live inside the file and there is no server to enforce a deadline. Document expiry is an enterprise-DRM feature that requires a licence server.
Can I revoke access after I've sent the file?
No. Once a recipient has the file with its embedded permissions, you cannot reach out and disable it. Remote revocation requires server-based DRM. The closest static control is to require an open password and simply not share it, or share a new key — but you can't claw back a file already opened.
Does it stop editing too?
No. There is no modify/edit checkbox; the tool always sends --modify=all. To resist edits, flatten the document with PDF Flatten before locking, or detect changes with PDF Digital Signature.
How do I require a password to open the file?
Use PDF Password Protect, which sets the open (user) password. This Permission Setter only sets the owner password and the permission flags, leaving the open password empty.
What encryption strength is used?
AES-256 — qpdf's 256-bit (R6) encryption handler. The permission dictionary is part of the encrypted structure, so the flags can't be altered without the owner password.
Can a determined user still bypass it?
A standard reader cannot print or copy a locked file, and cannot change the flags without the owner password. Determined bypasses exist for any file-embedded scheme: editors that ignore permissions, screenshots, OCR, or photographing the screen. A watermark makes such reproductions traceable; true prevention needs server DRM.
Is my document sent to a server?
No. All processing runs in your browser via qpdf-wasm. The document, owner password, and output never leave your device; only an anonymous usage counter is recorded when you're signed in — which is itself a privacy advantage over cloud DRM.
Can I apply this to many documents at once?
Not in the browser tool — it's single-file. For bulk rights-setting, pair the JAD runner and call the tool locally per file in a script.
Should I scrub metadata as part of a rights policy?
Often yes — author, producer, and creation tool can leak who made the document. Run PDF Metadata Scrubber before setting permissions if the file will go outside your organisation.
How do I lift the DRM-lite controls later?
As the rights owner you hold the owner password — use PDF Remove Password to strip the encryption and all permission flags.
Privacy first
All PDF processing runs locally in your browser using PDF-lib and pdf.js. No file is ever uploaded — only metadata counters are saved for signed-in dashboard stats.