Last year I sent a contract PDF to a client and forgot to lock it down. Two weeks later, a modified version of that same document surfaced in a thread I was cc'd on — someone had edited the payment terms and passed it along as the original. That one mistake cost me a full week of back-and-forth with legal. Since then, every PDF I share gets locked, encrypted, or both before it leaves my machine.
If you handle anything sensitive — invoices, signed agreements, medical records, tax returns — this guide walks through exactly what to do and why each step actually matters.
What Happens When a PDF Isn't Secured
A standard PDF is essentially an open file. Anyone who receives it can:
- Copy the full text into another document
- Edit content using free tools like Adobe Acrobat, Sejda, or even LibreOffice Draw
- Read hidden metadata (your name, the software you used, timestamps of every edit)
- Print unlimited copies with no record
Most people assume PDFs are "locked" by nature because they look finished. They aren't. A PDF without protection is no different from handing someone an editable Word file.
The Two Types of PDF Passwords (And Why It Matters)
Before you rush to add a password, you need to understand that PDFs support two distinct password layers — and they do very different things.
Open password (user password): Blocks anyone from even viewing the file without the correct password. The document won't render at all until it's entered.
Permissions password (owner password): Lets people view the document but restricts what they can do — no editing, no copying text, no printing, or any combination you choose.
Most online tools only add an open password. That's fine for keeping strangers out, but if you need to let someone read a document without modifying it, you need the permissions layer specifically. Tools like Adobe Acrobat Pro handle both. Several online platforms also support setting either type without installing software.
How to Secure a PDF Step by Step
Here's the workflow I use for anything I'm sharing externally.
Step 1 — Strip the metadata first
Open your PDF and remove embedded metadata before doing anything else. Metadata can expose your full name, your company's software stack, GPS coordinates (if the source was scanned on a phone), and a complete edit history.
In Adobe Acrobat Pro, go to File → Properties → Description and manually clear each field, then use the "Remove Hidden Information" feature under Protection. If you want to verify what's embedded, a free command-line tool like ExifTool will show you everything.
Step 2 — Add password protection
Use a password that's at least 12 characters with mixed case, numbers, and symbols. Avoid anything tied to the document itself (no "Contract2026" or "Invoice-March").
Most online PDF security tools follow the same process:
- Upload your cleaned PDF
- Enter your chosen password
- Download the protected file
If you're working locally, Adobe Acrobat Pro and the free tool PDFtk both support password addition from the desktop.
Step 3 — Set permission restrictions
If the recipient needs to read but not modify the document, set permissions to block editing and copying while allowing viewing. This is especially important for:
- Signed contracts
- Published reports
- Internal policy documents
In Acrobat Pro, this lives under File → Properties → Security. Most online tools (including iLovePDF and Smallpdf) offer a basic version of this, though they may not give you granular control over individual permissions.
Step 4 — Choose your encryption level
PDF encryption comes in two standards:
- AES-128: Adequate for most personal and small business use. Compatible with nearly every PDF reader.
- AES-256: Stronger encryption used in legal, healthcare, and government contexts. Some older PDF readers can't open these files.
If you're not sure, AES-128 is the safer default for compatibility. If you're dealing with genuinely sensitive data (patient records, financial audits), use AES-256 and confirm the recipient's software supports it first.
Step 5 — Add a watermark (optional but useful)
Watermarks don't prevent copying, but they create a deterrent and a paper trail. Stamping "Confidential" or "Draft — Not for Distribution" across pages discourages casual forwarding.
Adobe Acrobat, Foxit, and most online PDF tools let you add text watermarks with custom positioning and opacity.
How to Share the Secured PDF Safely
Locking the file is half the job. How you send it matters just as much.
Do: Send the PDF as an attachment through an encrypted email service (ProtonMail, Tutanota, or any provider with TLS encryption). If you're using a file-sharing link, use one that's password-protected and set an expiration date. Google Drive and Dropbox both support this.
Don't: Upload secured PDFs to random "free" online tools for compression or conversion after you've already locked them. Many of these services strip your security settings during processing. If you need to compress after protecting, use a trusted tool and verify that your encryption and password settings are still intact on the output file.
Send the password separately. Never include the PDF password in the same email as the file. Text it, call, or use a different communication channel entirely.
Honest Limitations You Should Know
No method is bulletproof. Here's what PDF security can and can't do:
- Permissions passwords can be removed by anyone with the right software if the file doesn't also have an open password. Always use both layers together.
- Screenshots exist. No amount of copy-restriction will stop someone from screenshotting your document. DRM-level protection requires specialized enterprise tools (Adobe LiveCycle, FileOpen), not standard PDF security.
- Metadata removal isn't always complete. Some tools miss XMP data or embedded font metadata. If you're handling high-stakes documents, use Acrobat Pro's "Examine Document" feature to catch residual data, or verify the output with a tool like ExifTool.
- Online tools process your file on a server. Even trusted platforms temporarily store your upload. For truly sensitive documents (legal discovery, classified material), do everything locally with desktop software.
When to Use What: A Quick Reference
Scenario
Minimum security
Recommended
Sending an invoice to a client
Open password
Open password + permissions lock
Sharing a signed contract
Open password + permissions lock
AES-256 encryption + watermark
Publishing a report publicly
Permissions lock (no edit/copy)
Permissions lock + watermark
Internal HR documents
AES-128 encryption + open password
AES-256 + metadata removal + separate password delivery
Personal tax returns to accountant
Open password
AES-128 + password sent via separate channel
FAQs
Can a password-protected PDF be cracked? Technically, yes. Weak passwords (under 8 characters, dictionary words) can be brute-forced with free tools in minutes. A strong 12+ character password with AES-256 encryption would take an impractical amount of computing time to crack. The password is the weak link, not the encryption.
Is it safe to use online PDF tools for sensitive files? It depends on the tool. Reputable services like PDF Doctor, iLovePDF, and Smallpdf use encrypted connections and auto-delete files after processing. Unknown or ad-heavy sites may store or monetize your uploads. For anything highly confidential — legal documents, medical records — use desktop software instead.
What's the single most effective thing I can do? Add both an open password and a permissions password using AES-128 or AES-256 encryption. That one step stops the vast majority of casual access and modification. Everything else (watermarks, metadata removal, secure sharing) adds layers on top of that foundation.
Do all PDF readers support encrypted files? Most modern readers (Adobe Acrobat Reader, Foxit, Chrome's built-in viewer, Preview on Mac) handle AES-128 without issues. AES-256 can cause problems with older software or lightweight mobile readers. If you're unsure about your recipient's setup, AES-128 is the compatible choice.