How to remove passwords from pdfs before long-term archival
- Step 1Identify the protected PDFs to archive — Find the files that prompt for a password to open. Collect each file's password while the people who set them are still available — this is the one moment recovery is guaranteed.
- Step 2Open the Remove Password tool — Go to the PDF Remove Password tool. qpdf loads once and is cached for the session.
- Step 3Decrypt each file with its password — Drop in a file, type its password in the Enter current password field, run, and download the open copy. Repeat per file (the browser tool is one-at-a-time).
- Step 4Convert to PDF/A for retention — Send each decrypted copy to the PDF/A converter (PDF/A-1b or PDF/A-2b) so it stays renderable for the full retention period.
- Step 5Store in an access-controlled location — Move the archival copies into a DMS, encrypted volume, or records system whose access controls (authentication, roles, audit logging) replace the per-file password.
- Step 6Record the step in your retention policy — Document that newly archived PDFs are decrypted at ingest and protected by the archive's access controls, so future staff understand why there's no per-file password.
Per-file password vs archive access control
Why decrypting at ingest beats relying on passwords for long-term retention.
| Dimension | Per-file password | Archive access control (after decrypt) |
|---|---|---|
| Recovery if lost | None — encryption doesn't expire | Admin can re-grant access via the DMS |
| Who manages it | Whoever set it (often gone) | Records / IT team, role-based |
| Audit trail | None | DMS logs every access |
| Onboarding new staff | Must know each password | Granted a role, sees everything they're cleared for |
| Failure mode at year 10 | File permanently locked | File still readable, access still governed |
Recommended ingest pipeline
A repeatable sequence to normalise protected files for the archive.
| Stage | Tool | Purpose |
|---|---|---|
| 1. Decrypt | This tool (Remove Password) | Remove the per-file password while you still hold it |
| 2. Standardise | Metadata Scrubber | Strip stale producer/author metadata for clean records |
| 3. Archive format | PDF/A converter | ISO-19005 compliance — fonts/colour self-contained |
| 4. Store | Your DMS / encrypted volume | Access governed by roles + audit logging |
Cookbook
Ingest patterns for getting protected files safely into a long-term archive.
Decrypt a sealed legal file at intake
A closed matter's PDFs were each password-protected by the case owner, who is leaving the firm. Decrypt them now, while the password is known, before they go into the records system.
Input: matter-2025-0412.pdf (AES-256, case-owner pw) Field: Enter current password → <case password> Action: qpdf --decrypt → open copy Next: PDF/A → store in records DMS (role-restricted)
Full ingest pipeline for one record
Decrypt, scrub stale metadata, convert to PDF/A, then store. Each stage is a separate single-file tool run.
1. Remove Password → open copy (password gone) 2. Metadata Scrubber → stale Author/Producer cleared 3. PDF/A converter → PDF/A-2b 4. Move to DMS → access by role, audit-logged
Mixed-vintage archive: RC4 and AES together
An old shared drive has files encrypted across a decade. qpdf reads both legacy RC4 and modern AES, so each can be normalised to an open copy with its own password.
2012 file (RC4-128) + password → decrypted 2024 file (AES-256) + password → decrypted Result: both normalised to unencrypted archival copies
Use the owner password collected at handover
During a team handover you captured owner passwords. qpdf accepts the owner password, so you can decrypt even without each file's open password.
Handover list has OWNER passwords only. Field: Enter current password → <owner password> Action: qpdf --decrypt → success Lesson: owner password is sufficient
Password missing for one old file
One file's password was never recorded and its setter has left. There's no recovery — flag it and escalate before the rest of the archive is sealed.
Field: Enter current password → <unknown>
Action: qpdf --decrypt → exit 2
Outcome: "could not process" — no recovery
Action: escalate; do NOT seal the archive assuming
this file will open laterEdge cases and what actually happens
Password never recorded and setter has left
Not supportedThis is precisely the long-term failure the decrypt-at-ingest pattern prevents. The tool cannot crack or recover an unknown password; a strongly encrypted file with a lost password is unrecoverable. Capture passwords during handovers, before they're gone.
Wrong password during ingest
errorqpdf exits with code 2 and reports it could not process the file. Passwords are case- and whitespace-sensitive. Re-type from the handover record carefully before flagging the file as unrecoverable.
Owner password is enough
Supportedqpdf decrypts with either the user or owner password. If your handover captured only owner passwords, they're sufficient — you don't need to chase the open passwords too.
Decrypted but not yet PDF/A
By designRemoving the password does not make a file archival-grade. For retention requirements, follow with the PDF/A converter; decryption and PDF/A conversion are two distinct steps.
Decrypted copy stored in an unsecured location
RiskAn unencrypted file relies entirely on the archive's access controls. Store it in a DMS or encrypted volume with authentication, roles, and audit logging — not a shared open folder. The decryption removed the only barrier the file itself carried.
Legacy RC4 archive files
SupportedOld archives often use RC4 40/128-bit. qpdf reads these with the password, so even decade-old files can be normalised to unencrypted archival copies.
Free-tier 2 MB / 50-page cap
LimitLong scanned records frequently exceed the free 2 MB / 50-page limit. Pro (50 MB / 500 pages) or Pro+Media (500 MB / 2,000 pages) handles larger archival documents.
Many files to process
By designThe browser tool decrypts one file per run. For a bulk ingest, script the @jadapps/runner to process the folder sequentially (see the automation FAQ) — each file still needs its own correct password.
Server-DRM (LiveCycle) records
Not supportedRecords protected by enterprise rights management aren't password-decryptable here. They require the issuing rights server; if it's decommissioned, the records may be permanently inaccessible. Plan migrations off DRM well before the server is retired.
Frequently asked questions
Why decrypt PDFs before archiving instead of keeping the passwords?
A per-file password is a single point of failure with no recovery: when the setter leaves and the password isn't documented, the file is locked forever. Decrypting at ingest — while you still hold the password — and letting the archive's access controls govern reads is durable: an admin can always re-grant access, and every read is audit-logged.
Is a decrypted PDF stored in a secured DMS sufficiently protected?
Yes. The DMS access controls (authentication, role-based permissions, audit logging) replace the per-file password as the access restriction — and they're recoverable and manageable, which a per-file password is not. Ensure the DMS itself has appropriate authentication and logging before relying on it.
Should I run PDF/A conversion after decrypting?
For long-term archiving, yes. Decryption removes the password; PDF/A (ISO 19005) is what makes the file durable — embedding fonts and standardising colour so it renders correctly for decades. Decrypt here, then convert each open copy with the PDF/A converter to PDF/A-1b or PDF/A-2b.
How do I batch-process many archived PDFs?
The browser tool decrypts one file per run, each with its own password. For volume, script the @jadapps/runner: fetch the schema from GET /api/v1/tools/pdf-remove-password, pair the runner once, then POST each file with { "password": "…" } to 127.0.0.1:9789/v1/tools/pdf-remove-password/run. Processing stays local to your machine.
What encryption can it strip?
RC4 40-bit, RC4 128-bit, AES-128, and AES-256 — covering both legacy and modern files you'd find in a mixed archive. It cannot remove server-enforced DRM (LiveCycle / rights management), which isn't a standard password.
Can I use the owner password I collected at handover?
Yes. qpdf decrypts with either the user (open) or owner password. If your handover captured owner passwords, they unlock the files completely — no need to also find the open passwords.
Are my confidential archive files uploaded?
No. The qpdf WebAssembly module and decryption run entirely in your browser tab. Archive contents and passwords never leave your device. Only an anonymous usage count is recorded when signed in — relevant for legal, HR, and property records.
What if one file's password is missing?
There's no recovery — a strongly encrypted file with a lost password is unrecoverable, which is why capturing passwords at handover matters. Flag the file and escalate rather than sealing the archive on the assumption it will open later.
Will decryption alter the archived record's content?
No. qpdf removes only the encryption layer; pages, text, scanned images, fonts, and bookmarks are preserved exactly. The archival copy is a faithful, unmodified record of the original.
Should I scrub metadata before archiving too?
Often, yes. Stale Author/Producer/Creation-date metadata can leak who handled a file or which software touched it. Run the Metadata Scrubber on the decrypted copy before PDF/A conversion to standardise records.
How big a file can I decrypt for archiving?
Free tier: 2 MB / 50 pages. Pro: 50 MB / 500 pages. Pro+Media: 500 MB / 2,000 pages. Developer: 2 GB / 10,000 pages. The limit applies to the input file you drop in.
Is stripping the password legal for files my organisation owns?
Yes. Removing protection from documents your organisation owns or is authorised to manage, using passwords it holds, is legal and a standard records-management practice. The tool requires the password, so it only ever decrypts files you can already access.
Privacy first
All PDF processing runs locally in your browser using PDF-lib and pdf.js. No file is ever uploaded — only metadata counters are saved for signed-in dashboard stats.