pdfcpu

Logo

A PDF processor written in Go.

View the Project on GitHub pdfcpu/pdfcpu


Changelog

Encrypt

This command encrypts inFile using the standard security handler as defined in PDF 32000-1:2008. If provided the encrypted PDF will be written to outFile and inFile remains untouched. Have a look at some examples.

Usage

usage: pdfcpu encrypt [-v(erbose)|vv] [-q(uiet)] [-mode rc4|aes] [-key 40|128|256] [perm none|all] [-upw userpw] -opw ownerpw inFile [outFile]


Flags

name description required values default
verbose turn on logging no    
vv verbose logging no    
quiet quiet mode no    
mode encryption no rc4, aes aes
key key length no rc4:40,128 aes:40,128,256 256
perm permissions no none, all none
upw user password no    
opw owner password yes, must not be empty!    


Arguments

name description required
inFile PDF input file yes
outFile encrypted PDF output file no


mode

The symmetric encryption algorithm to be used for encrypting and decrypting a document. The PDF standard security handler defines two algorithms to be used:

NOTE: RC4 is considered to be insecure!

The default mode for pdfcpu is AES.
As of 2019 AES is still considered secure and an effective federal US government standard.

NOTE: As AES-256 is the most recent algorithm the PDF 1.7 specification defines, more secure algorithms will be needed and provided in a future release.

key

The length of the cryptographic key used for encryption and decryption.

Possible values for RC4:

Possible values for AES:

perm

The set of permissions that apply once a document has been opened.

Possible values:

NOTE: These quick primitives will be followed up by finer grained control over the permission bits in a future release.


Examples

Encrypt test.pdf using the default encryption AES with a 256-bit key and the default permissions. Set the owner password to opw. This password also known as the master password or the set permissions password may be used to change the permissions. Since there is no user password set any PDF Reader may open this document:

pdfcpu encrypt -opw opw test.pdf
writing test.pdf ...


Encrypt test.pdf using the default encryption AES with a 256-bit key and the default permissions. Set the user password to upw. This password must be used to open the decrypted file. It is also known as the open doc password, then set the owner password to opw:

pdfcpu encrypt -upw upw -opw opw test.pdf
writing test.pdf ...


Encrypt test.pdf and write the encrypted output file to test_enc.pdf. Use AES with a 40-bit key and default permissions. Set the mandatory owner password to opw which will also be needed to change the permissions of test_enc.pdf:

pdfcpu encrypt -opw opw -mode aes -key 40 test.pdf test_enc.pdf
writing test_enc.pdf ...


Encrypt test.pdf and write the encrypted output file to test_enc.pdf. Use RC4 with a 128-bit key and set all permissions for full access. Set the user password to upw which will be needed to open test_enc.pdf, also set the owner password to opw:

pdfcpu encrypt -upw upw -opw opw -mode rc4 -key 128 -perm all test.pdf test_enc.pdf
writing test_enc.pdf ...