Lock a PDF — password + permissions.
Add a password to any PDF and pick which actions recipients can take. RC4-128 encryption opens in every PDF reader. All in your browser — no upload, no signup.
- ✓ Stays in browser
- ✓ No signup
- ✓ Adobe + Chrome + Preview
Want to edit more on this PDF?
Sign, redact, watermark, autofill · stays in your browser
Two layers: open-protection + permission flags.
The user password gates open access — anyone trying to view the file is asked for it. Permission flags restrict actions (print/copy/edit) for users who DO have the password. Both ride on the same RC4-128 envelope.
User password
Recipients enter this to open the file. Without it, every PDF reader shows a password prompt and refuses to render content.
8 permission flags
Print, copy, modify, annotate, fill forms, accessibility, assembly, hi-res print. Toggle individually — defaults match common 'view-and-print-only' contracts.
RC4-128 (Rev 3)
Standard Security Handler — works in Adobe Reader, Chrome's PDF viewer, macOS Preview, every mobile reader. Compatible since 2003.
Browser-only
The password derivation, RC4 cipher, and per-object encryption all run client-side in WASM/JS. The plaintext PDF and password never leave your device.
Strong key derivation
Per-spec MD5 + 50-iteration hashing of the password derives the file encryption key. Each indirect object gets its own key derived from object number + generation.
Random file ID
16 random bytes via crypto.getRandomValues seed the key. Re-protecting the same file twice produces different ciphertext.
How it works.
MD5 + RC4 — old crypto, but the only thing every PDF reader on the planet implements. We use it to encrypt every stream and string in the document.
- Step 01
Drop the PDF
Drag a file or click to browse. Stays in your browser.
- Step 02
Set a password
Type and confirm. Choose which actions recipients keep — printing, copying, editing, etc.
- Step 03
Encrypt
Per-object RC4 keys derived from your password encrypt every stream and string in the file.
- Step 04
Download
Saves locally as filename-protected.pdf. Recipients get a password prompt when they open it.
About PDF password protection.
How strong is the password?
RC4-128 is fine for casual protection — your colleague can't accidentally read the file, and a friend can't open it without the password. It's NOT bulletproof against dedicated attackers; password-cracking tools exist for any weak password (under 8 chars, dictionary words). For maximum strength: use 16+ char random passwords, and pair with full-disk encryption when storing the protected PDF.
Why RC4 instead of AES?
Compatibility. RC4-128 works in every PDF reader since 2003. AES-128 (Rev 4) requires Acrobat 7+; AES-256 (Rev 5/6) requires Acrobat 9+. We picked RC4 so the recipient's grandfather running Acrobat Reader on Windows XP can still open it. AES support is on the v1.1 roadmap for users who need it.
Can I set different open vs edit passwords?
Not in v1 — we use one password for both. The owner-password concept exists in PDF spec (Algorithm 3) but doesn't add real security since user-password unlocks both layers in practice. For workflows needing distinct review-vs-edit access, sign and watermark are usually better tools.
Will permission flags actually stop someone from copying?
Adobe Reader + the macOS Preview app respect them. Browser PDF viewers may not. Determined users can always run /tools/unlock-pdf, which removes restrictions. Permission flags are a polite request, not a security boundary.
What if I forget the password?
There's no recovery — the password IS the encryption key. Save it in a password manager. If you lose the password to your only copy of an encrypted PDF, the content is effectively gone.
Does this work for already-encrypted PDFs?
No — you need to unlock first via /tools/unlock-pdf, then re-protect with new settings. Stacked encryption isn't supported by PDF readers.
Need to do more than this?
Open the full editor for signing, redaction, watermarks, autofill, and the rest of the toolbelt — same file, no upload, no signup.