pdfcpu
A PDF processor written in Go.
View the Project on GitHub pdfcpu/pdfcpu
Changelog
Encrypt
This command encrypts inFile using the standard security handler as defined in PDF 32000-1:2008. If provided the encrypted PDF will be written to outFile and inFile remains untouched. Have a look at some examples.
Usage
pdfcpu encrypt [-mode rc4|aes] [-key 40|128|256] [-perm none|all] [-upw userpw] -opw ownerpw inFile [outFile]
Flags
| name | description | required | values | default |
|---|---|---|---|---|
| mode | encryption | no | rc4, aes | aes |
| key | key length | no | rc4:40,128 aes:40,128,256 | 256 |
| perm | permissions | no | none, all | none |
Common Flags
| name | description | values |
|---|---|---|
| v(erbose) | turn on logging | |
| vv | verbose logging | |
| q(uiet) | quiet mode | |
| u(nit) | display unit | po(ints),in(ches),cm,mm |
| c(onf) | config dir | $path, disable |
| upw | user password | |
| opw | owner password |
Arguments
| name | description | required |
|---|---|---|
| inFile | PDF input file | yes |
| outFile | encrypted PDF output file | no |
mode
The symmetric encryption algorithm to be used for encrypting and decrypting a document. The PDF standard security handler defines two algorithms to be used:
NOTE: RC4 is considered to be insecure!
The default mode for pdfcpu is AES.
As of 2019 AES is still considered secure and an effective federal US government standard.
NOTE: As AES-256 is the most recent algorithm the PDF 1.7 specification defines, more secure algorithms will be needed and provided in a future release.
key
The length of the cryptographic key used for encryption and decryption.
Possible values for RC4:
- 40
- 128
Possible values for AES:
- 40
- 128
- 256
perm
The set of permissions that apply once a document has been opened.
Possible values:
-
noneclears all permission bits. This is the most restrictive way of presenting an open document to a user. -
allsets all permission bits allowing full access to all operations that may be applied to an open document.
NOTE: These quick primitives will be followed up by finer grained control over the permission bits in a future release.
Examples
Encrypt test.pdf using the default encryption AES with a 256-bit key and the default permissions.
Set the owner password to opw. This password also known as the master password or the set permissions password may be used to change the permissions. Since there is no user password set any PDF Reader may open this document:
$ pdfcpu encrypt -opw opw test.pdf
writing test.pdf ...
Encrypt test.pdf using the default encryption AES with a 256-bit key and the default permissions.
Set the user password to upw. This password must be used to open the decrypted file. It is also known as the open doc password, then
set the owner password to opw:
$ pdfcpu encrypt -upw upw -opw opw test.pdf
writing test.pdf ...
Encrypt test.pdf and write the encrypted output file to test_enc.pdf. Use AES with a 40-bit key and default permissions.
Set the mandatory owner password to opw which will also be needed to change the permissions of test_enc.pdf:
$ pdfcpu encrypt -opw opw -mode aes -key 40 test.pdf test_enc.pdf
writing test_enc.pdf ...
Encrypt test.pdf and write the encrypted output file to test_enc.pdf. Use RC4 with a 128-bit key and set all permissions for full access.
Set the user password to upw which will be needed to open test_enc.pdf, also set the owner password to opw:
$ pdfcpu encrypt -upw upw -opw opw -mode rc4 -key 128 -perm all test.pdf test_enc.pdf
writing test_enc.pdf ...