Skip to content

Protect PDF with Password

Add a password to a PDF in your browser. The encryption happens locally — the password never touches a server.

In your browseryour files never leave your device.

Learn more

Required to open the PDF.

If set, this password is required to change permissions (print, copy, edit). Leave blank to use the open password for both.

Permissions

What the document is allowed to do once unlocked with the open password.

Encrypted with AES-128, the PDF standard. Your password and PDF never leave your browser — encryption happens 100% locally.

About this tool

Password-protecting a PDF used to mean buying Acrobat or trusting a random web upload with your sensitive document and password in plaintext. This page handles it locally: you drop in a PDF, type a password (twice for confirmation), and the page encrypts the file in your browser using pdf-lib's encrypt() method. The encrypted output prompts for the password in any PDF reader — Preview, Adobe Reader, Chrome, Edge, mobile apps. The password is never sent over the network and never stored anywhere. If you forget it, the file is gone — there is no recovery, by cryptographic design. Save the password somewhere safe (a password manager, an encrypted note) before you close the tab. The how-to below covers the basic flow and the FAQ answers what happens to the recipient's experience, why old PDF readers might struggle, and what the tool deliberately does not do.

How to protect pdf with password

  1. Drop in your PDF

    Single file. The page accepts any standard PDF including ones with content forms, hyperlinks, or embedded images.

  2. Type a password (twice)

    At least 4 characters. Save it somewhere you will not lose it — there is no recovery option built into PDF encryption.

  3. Click Protect

    Encryption runs locally via pdf-lib. A 50-page PDF takes about 2-3 seconds to encrypt on a modern laptop.

  4. Download the protected file

    Opening it in any reader will now prompt for the password. Test it once before sending so you know the protection took correctly.

Features

Browser-side encryption

The password is typed locally, the encryption happens locally in your browser via pdf-lib, and the encrypted PDF is downloaded directly. Open the Network tab to verify nothing related to the password leaves your machine. Most online "protect PDF" tools upload your file and your password in the clear — that is the opposite of what you want when the whole point is protecting a sensitive document.

Standard PDF encryption

pdf-lib uses the standard PDF encryption format. Any modern PDF reader (Preview, Adobe Reader, Chrome, Edge, Firefox, Foxit, mobile apps) will prompt for the password and decrypt correctly. Older readers from before 2017 may not support the latest encryption variants and might prompt to fall back, but that is a tiny minority of installed readers today. The encryption is industry standard, not a custom or proprietary scheme.

Permissions enforced too

The protect action sets standard PDF permission flags: copying disabled, content modification disabled, document assembly disabled, but high-resolution printing allowed and form-filling allowed. So a recipient can open and read the file, fill in any forms, and print, but cannot copy the text out or edit the document. This is the most common permissions profile for shared documents. Adjustable in a future version if there is demand for different combinations.

No size limit and no rate limit

Since the encryption runs in your browser, there is no daily cap, no per-file fee, and no queue. The practical ceiling is browser memory — encrypting a 200MB document takes more RAM than encrypting a 5MB one, but neither is a problem on a modern laptop. Mobile devices can handle PDFs up to about 100MB comfortably before memory becomes the limiting factor.

Frequently asked questions

Is the password sent anywhere?
No. The password is typed into the form, kept in browser memory for the duration of the encryption step, used to compute the encryption key, and discarded when you close the tab. No outgoing network request carries it. You can verify this in the Network tab of your browser's developer tools — there are no POST requests during the encryption step, only the initial page load. The encryption happens in WebAssembly running on your CPU.
What if I forget the password?
The file is unrecoverable. AES with an unknown password is computationally infeasible to break in any practical sense — that is the whole point of the encryption. There is no "reset password" link because that would defeat the security model. Always save the password somewhere safe (password manager, encrypted note, secure document) before you close the tab and especially before you send the file to anyone else. The password is the only way back into the document.
Can the recipient print or copy the protected PDF?
The default permissions allow printing and form-filling but disable copying and modification. So the recipient can read it, print it, and fill in any forms it contains, but they cannot select-copy the text or edit the document content. If you need to lock printing too, that needs a different permissions profile — drop a note in feedback and it will be added as a checkbox option. The current defaults match the most common "share but do not let them mess with it" use case.
What encryption standard is used?
pdf-lib uses the standard PDF security handler. In practice every reader from the last 8+ years handles it fine — Preview on Mac, Adobe Reader, Chrome, Edge, Firefox's built-in pdf.js viewer, mobile apps on iOS and Android. The encryption is symmetric (one password for both reading and modifying), which is the right model for most everyday use cases. Asymmetric encryption with separate read and edit passwords requires a different flow.
Will old PDF readers handle the encrypted file?
Anything from roughly 2017 onward is fine. Older readers (pre-2010 Adobe Reader versions, ancient Mac Preview before macOS 10.7, very old mobile PDF apps) may not support modern encryption and will refuse to open the file or fall back to a downgrade. If you are sending to a recipient with truly archaic software, the encryption is not going to be your only compatibility issue — they probably cannot render modern PDFs reliably anyway.