Introduction to Encryption

Encryption is the process in which some data is converted to an unintelligible format so that only authorized parties can access the original data. One of the ways of making the content of a PDF inaccessible to certain people is by setting a password.

Owner and User Passwords

A PDF file can have two kinds of password set. A user password (also known as an open password) prevents users from opening a document if they don’t know the password. When you try to open a document with a user password, PSPDFKit will show a password prompt to unlock the document. (If you want to open a document with a user password programmatically, you can use the openDocument(context, Uri, password) API.)

An owner password (also known as a permissions password) is a password that controls the editing of a document. When an owner password is set, you can configure a set of permissions, i.e. operations that you can or cannot perform on the PDF. For example, you can configure an owner password and the “printing” permission when saving a document to make sure that users who don’t know that owner password can only print the document, but not modify it. If you are interested in the available set of document permissions and how PSPDFKit honors them, take a look at our Document Permissions guide.

If you want more information about what the user and owner passwords are in PDFs and how you can set them with PSPDFKit, take a look at this blog post: Protecting PDF Documents.

A PDF file can have multiple security-related options set. The owner password generally controls the editing of a document and is required as soon as you want to encrypt a document of any kind. The user password prevents users from viewing the PDF. It’s optional, but if you specify it, you also need to specify an owner password. Check out our Document Processing guide for more details on how to create a password-protected document using PSPDFKit.

Encryption Algorithms

When you set any password on a PDF document, PSPDFKit automatically encrypts the document to make it inaccessible to people who don’t know the password. PSPDFKit supports RC4 and AES encryption algorithms.

RC4 is a proprietary encryption algorithm of RSA Security Inc. It is a symmetric stream cipher — i.e. the same algorithm is used for both encryption and decryption, and the algorithm does not change the length of the data.

AES support was introduced with PDF 1.6. It is a symmetric block cipher — i.e. the same algorithm is used for both encryption and decryption, and the length of the data when encrypted is rounded up to a multiple of the block size, which, in this implementation, is fixed to always be 16 bytes. The following table summarizes the different encryption algorithms supported by PDF and Adobe Acrobat.

Encryption Algorithm PDF and Acrobat Version
RC4 40-bit PDF 1.1 – 1.3 (Acrobat 2-4)
RC4 128-bit PDF 1.4 – 1.5 (Acrobat 5-6)
AES 128-bit PDF 1.6 – 1.7 = ISO 32000-1 (Acrobat 7-8)
AES 256-bit PDF 2.0 (Acrobat X)

PSPDFKit defaults to encrypting documents with the strongest algorithm available. What this means is the AES encryption algorithm uses a sufficiently long encryption key (a long encryption key makes it impossible to decrypt a document using brute force).

If you are editing a document with Adobe Acrobat, you can configure how setting a password will encrypt in Adobe Acrobat from File > Properties > Security. Select Password Security from the dropdown box and choose any encryption option from the Compatibility dropdown. By selecting the Acrobat 6 and later option when creating an encrypted PDF, a low encryption level (128‑bit RC4) is used, while the other options use a high encryption level (128‑bit RC4 or AES). Acrobat 7.0 and later encrypts the document using the AES encryption algorithm with a 128-bit key size. Since version 4.8, PSPDFKit for Android has supported encrypting password-protected documents using the Acrobat 7.0+ style encryption.

PSPDFKit Supports Fast, In-Memory AES-256 Decryption

PSPDFKit is able to add an additional layer of security with support for state-of-the-art, fast, in-memory AES-256 decryption using the AesDataProvider class. Unlike other solutions, the PDF is never fully decrypted, and this even works with very large (> 500 MB) documents. The file also will never be written out unencrypted to disk. For more details, see our AES Data Provider guide.