What encryption does this tool use?

AES-256, which is the strongest encryption the PDF specification supports. It is the same standard used by banks and government agencies for classified data. No one is brute-forcing an AES-256 encrypted file with a decent password.

What is the difference between a user password and an owner password?

A user password is required to open the document at all. Without it, the file is unreadable. An owner password controls permissions — it determines whether someone can print, copy text, or edit the file. A document can have both, just one, or neither.

Can someone bypass the permission restrictions?

Honestly, yes. The PDF specification stores permission flags as metadata that the reader software is expected to honor voluntarily. Many third-party PDF tools and open-source libraries ignore these flags entirely. Permission restrictions discourage casual misuse but do not provide hard security. If you need to truly prevent access, use a user password (password-to-open) instead.

What happens if I forget my password?

There is no recovery mechanism. Because all encryption happens in your browser, we never see or store your password. If you lose it, the file is permanently inaccessible. Write it down somewhere safe or use a password manager.

Will the encrypted PDF work in all readers?

AES-256 encryption is supported by Adobe Acrobat, most modern browsers, Preview on macOS, and virtually every current PDF reader. Very old software that only supports PDF 1.4 or earlier may not be able to open AES-256 encrypted files. If compatibility with legacy readers is essential, the tool offers an RC4 128-bit option, though it is less secure.

Does encryption increase the file size?

Slightly. AES encryption adds a small amount of padding to each encrypted stream, plus the encryption dictionary metadata. For most files, the increase is under 5 percent. You will not notice the difference for typical documents.

Can I protect a PDF that is already encrypted?

You would need to unlock it first, then re-encrypt with the new password. Layering encryption on top of existing encryption is not supported by the PDF standard.

Does the password protect against screenshot capture?

No. PDF encryption controls whether the file can be opened and what the reader software allows. Once a document is displayed on screen, anyone can take a screenshot. No file-level encryption can prevent that.

HomeToolsProtect PDF

Protect PDF

Add password protection and encryption to your PDFs.Everything happens in this tab — your files don't move.

In-browserNo uploadNo file limit

HomeProtect PDF

Protect PDF

Add password protection and encryption to your PDFs.

In-browserNo upload

Adding a password to a PDF is the most direct way to control who can open it. PDF Cloak encrypts your document using AES-256 right in your browser. The password never travels over a network, and the unprotected version of your file never exists on anyone else's machine. You set the rules — whether the file needs a password to open, a password to edit, or both — and the tool produces an encrypted copy. Here is how PDF encryption actually works and what it can and cannot do for you.

Still building this one

Protect PDF is in active development

We're building protect pdf to work entirely in your browser, just like every other tool on PDF Cloak. No shortcuts — same privacy guarantee.

Get notified when Protect PDF launches

We're still building this tool. Drop your email and we'll let you know the moment it's ready.

When to use this tool

The most straightforward scenario is confidential documents. Tax returns, medical records, legal agreements, HR files — anything you would not want an unauthorized person reading if the email got forwarded or the USB drive got lost. A strong user password makes the file unreadable without the key.

Controlling distribution is another reason. You are sending a draft report to three reviewers and want to prevent them from copying the text into their own documents or printing unmarked copies. Permission restrictions handle this, though with caveats discussed below.

Professional file delivery often requires protection. Accountants sending financial statements, lawyers sharing privileged documents, consultants delivering strategy decks — password protection is a standard expectation in these workflows, sometimes mandated by compliance policies.

Internal document policies at some organizations require all externally shared PDFs to be encrypted. Even if the content is not particularly sensitive, the policy exists. This tool satisfies that requirement without needing enterprise software licenses.

How PDF encryption works

PDF encryption is built into the file format specification. It is not a wrapper or an external layer — the encryption is structural. Understanding its architecture helps you make informed decisions about what level of protection to apply.

AES-256 encryption. The current standard. Each stream in the PDF (content, images, fonts, metadata) is encrypted using a 256-bit AES key derived from your password through a key derivation function. Without the correct password, the encrypted streams are indistinguishable from random data. No practical attack exists against AES-256 with a strong password. This is genuine, serious cryptography.

RC4 128-bit (legacy). Older PDFs used RC4, which is a stream cipher. RC4 is still offered for compatibility with PDF readers that predate the AES-256 specification (PDF 2.0 and the AES extension for PDF 1.7). RC4 is considered cryptographically weak by modern standards. Use it only if you know your recipients are stuck on old software.

User password vs. owner password. These serve fundamentally different purposes. The user password (sometimes called the "open password") encrypts the file's content. Without it, a reader application cannot decrypt the streams and therefore cannot display anything. The document is genuinely locked.

The owner password is a different mechanism. It controls a set of permission flags: can the user print? Copy text? Fill forms? Modify content? Assemble pages? These flags are stored in the encryption dictionary. A reader application is supposed to check the owner password before allowing restricted actions. The critical word is "supposed to." The PDF specification relies on the reader software to enforce these flags voluntarily. Adobe Acrobat respects them. Most commercial PDF editors respect them. But open-source libraries and many third-party tools do not. If a tool decrypts the file using the user password (or if there is no user password), the permission flags are just data — they can be ignored.

This is not a flaw in PDF Cloak. It is a design limitation of the PDF specification itself. Permission restrictions are a social contract, not a technical barrier. They are useful for discouraging casual copying and printing, but they do not stop a determined person with the right tools.

Encryption scope. When you protect a PDF, every content stream in the document is encrypted. This includes the page content, embedded images, font programs, annotations, and form field values. Metadata (title, author, keywords) can optionally be left unencrypted so that search tools can index the file without opening it, or encrypted for full privacy. PDF Cloak lets you choose.

Common issues

Forgotten passwords cannot be recovered. This is worth repeating because it is the most consequential issue. PDF Cloak runs entirely in your browser. There is no server, no account, and no password database. If you set a user password and then forget it, that file is permanently locked. We cannot help. No one can, short of brute-force attempts that would take an astronomical amount of time against AES-256 with a reasonable password. Use a password manager. Write it on paper and store it securely. Do not rely on memory for important documents.

Compatibility with older readers. AES-256 encryption requires a reader that supports at least PDF 1.7 with the AES extension, or PDF 2.0. Software released in the last decade handles this without issues. If you are sending files to someone using a very old version of a free PDF reader, they might be unable to open the document. In that case, the RC4 fallback option provides broader compatibility at the cost of weaker security.

Encrypted files are slightly larger. AES block encryption adds padding to every encrypted stream. The encryption dictionary itself adds a small amount of overhead. For a typical document, the size increase is negligible — perhaps a few percent. For very small PDFs (a few kilobytes), the overhead is proportionally larger but still trivial in absolute terms.

Permission restrictions are easily bypassed. As discussed above, owner-password permission flags are advisory. If you need genuine security, always set a user password. Relying solely on an owner password with permission flags is equivalent to locking a screen door — it signals intent but does not stop anyone who tries the handle.

Printing-disabled PDFs can still be screenshotted. Disabling the print permission tells compliant reader software to gray out the print menu. It does not prevent the person from pressing the screenshot key, photographing their screen, or using a virtual printer driver that does not check permission flags. Digital rights management at this level is inherently limited.

What to expect from our tool

Drop your PDF into the tool and you will see options for encryption type (AES-256 recommended, RC4 for legacy compatibility), user password, owner password, and permission toggles. You can set just a user password, just an owner password, or both. The permission checkboxes let you selectively allow or deny printing, text copying, content modification, and form filling.

Enter your password — use something strong, not "1234" — and click protect. The tool encrypts the entire document in your browser. Depending on file size, this takes anywhere from under a second to several seconds. The output is a new encrypted PDF. Your original unprotected file remains on your device unchanged.

Test the result immediately. Open the encrypted PDF, enter the password you set, and confirm that the document displays correctly and that the permission restrictions behave as expected. This takes ten seconds and can save you from discovering a problem after you have already sent the file to someone.

Related tools

Unlock PDF

Remove password protection from PDFs you have access to.

Compress PDF

Shrink PDFs to a target size. Lossless or image-optimized — your choice.

Merge PDFs

Combine any number of PDFs into one. Drag to reorder pages.

Delete Pages

Remove unwanted pages from any PDF document instantly.