Adding Passwords and Encryption to PDFs

Adding Passwords and Encryption to PDFs

The Portable Document Format, PDF, provides a variety of ways to secure a document to either prevent unauthorized users from opening it, or to prevent unauthorized changes from being made to the document. The most straightforward and common way to deal with either of these scenarios is to apply two different types of passwords to a PDF. This is where you need to understand both the use case of the document that is being secured and how that maps to what PDF supports. Let’s take a brief look at the two different types of passwords that can be set on a PDF and then dive into using Datalogics PDF Java Toolkit to set these passwords on a document.

Owner versus user passwords

In order to support multiple workflows with PDF, the PDF specification supports the concept of an owner password and a user password. The owner password is the password that is used by the author of the document to prevent others from using it in a way the author did not intend. When specifying the owner password, either through a PDF viewing application or an SDK like Datalogics PDF Java Toolkit, you can specify what permissions a user will have when they open the document. For example, if I created a document and I did not want readers to be able to extract the text, I would turn that permission off when setting the password. If you are familiar with Adobe Acrobat, this setting would be in the Document Properties screen under Security and is referred to as the Permissions Password.

The user password, also known as the Document Open Password in Adobe Acrobat, is the password you set on a document to prevent unauthorized users from opening it. Word of caution, if you are really concerned about the contents of your PDF files being viewed by others, you shouldn’t rely on user password. Since the PDF standard is available publicly, anyone can get a copy of it and write a utility to break into a PDF no matter whether it has a password or not. The PDF standard tells them everything they need to know. That doesn’t mean you shouldn’t ever use passwords to protect your PDFs, because frankly, breaking into a PDF is challenging. But if someone is sufficiently motivated to know what is in a password protected PDF and would go through the hassle of understanding the PDF standard and writing code to break into the PDF (it sounds way easier than it really is), it can be done. If you really need high-level security on your document, something like a Digital Rights Management system would be a better choice.

Now that we know a little more about the different password types, let’s take a look at how to set them using Datalogics PDF Java Toolkit.

Setting passwords with Datalogics PDF Java Toolkit

The AddPasswordToDocument sample for Datalogics PDF Java Toolkit allows you to quickly add either or both types of passwords supported by the PDF standard. The sample takes four arguments which are :

  • path to the PDF that should have passwords added
  • Owner password
    • Specify an empty string if you do not want to set an Owner password
  • User password
    • Specify an empty string if you do not want to set a User password
  • path to where the password protected PDF should be written out

Those arguments all get passed down to the method addPassword() in the sample where all the real work takes place. Starting with the line

final StandardEncryptionPermissions encryptPerms = StandardEncryptionPermissions.newInstanceAll();

Here, we are beginning the journey to create a password protected PDF. The StandardEncryptionPermissions class is the one used to specify what permissions should be set on the document when it is opened with a User password. The AddPasswordToDocument sample starts by giving the user all the permissions and then selectively turning some of the permissions off like the “Add” and “Extract” permissions.


After the desired permissions have been configured, the sample goes on to create a PermissionProvider instance from the StandardEncryptionPermissions instance. The last class that you need to work with in order to password protect a PDF using Datalogics PDF Java Toolkit is the SecurityLock class. The SecurityLock class is the object that combines the desired permissions and passwords with the desired encryption algorithm and secures the PDF.

final SecurityLock securityLock = SecurityLockPassword.newAES_128bit(ownerPasswordBytes, userPasswordBytes, permsProvider, false);

This line will create a SecurityLock that relies on passwords and uses the AES encryption algorithm with a 128bit key. This particular SecurityLock will not encrypt the metadata of the PDF, which will allow search engines to index the PDF if it is publicly hosted on the internet and can be opened by Adobe Acrobat 7 and later. The encryption algorithm and key size are important factors in determining what PDF viewing applications can be used to open the documents as not all PDF viewing applications support the same algorithms and key sizes.

Once the SecurityLock has been created, it is added to the PDFSaveFullOptions object that will be used to save the PDF so that it can have the passwords and permissions applied to it.

With all of this knowledge in hand, it is just up to you to determine how the PDFs you need to add passwords and permissions to are going to be used so that you can secure them with the correct settings. If you are looking to add this as a feature of your application or are looking to secure a large volume of PDFs, sign up for an evaluation of Datalogics PDF Java Toolkit today!

Leave a Reply

Your email address will not be published.