Security

Batch PDF encryption with AES-256 and granular permissions

User and owner passwords, six permission flags, four scenario presets, batch decryption to strip existing protection. Built on the PDF 2.0 V=5/R=6 encryption handler — the strongest standard PDF encryption available.

Download Complimentary Trial

500 contracts · AES-256 encrypted · Print-only permissions

The two passwords

User password and owner password do completely different things

PDF supports two distinct passwords on the same file, and confusing them is the most common mistake people make with PDF encryption. They protect different things and serve different threat models. 

USER PASSWORD (open password)
  Required to open and view the PDF.
  Without it, the file is unreadable — encrypted on disk, no preview.
  Use when: only authorized recipients should see the document at all.

OWNER PASSWORD (permissions password)
  Holder can change permissions and remove encryption.
  Anyone can open the file with their existing reader, BUT
  the file enforces the permission flags you set (print, copy, edit, etc.).
  Use when: the document can be read freely, but only certain
  actions are allowed unless someone holds the owner password.

BOTH SET
  Most restrictive. User password to open, owner password to bypass restrictions.

A common misconception is that the user password is "the password" and the owner password is some kind of admin override. They are different mechanisms. Most public-distribution scenarios (web-published reports with no copy/edit) need an owner password and no user password — you want everyone to read the document, you just don't want them to copy text out.

Encryption

AES-256 in the PDF 2.0 V=5/R=6 handler

PDF defines its encryption handlers by two version numbers: V identifies the algorithm and R the password-handling revision. The PDF spec has gone through several iterations — V=2 R=3 RC4-128 (1.4 era, weak by modern standards), V=4 R=4 AES-128 (1.7 era, OK), V=5 R=5 AES-256 (1.7 ExtensionLevel 3, with a known weakness), and finally V=5 R=6 AES-256 (PDF 2.0, the current strong standard).

PDF Batch Editor encrypts using V=5 R=6: AES-256 in CBC mode, with key derivation that uses a salt and a high iteration count to resist password brute-force. This is the same encryption handler used by enterprise document management systems and government archives. Older readers (pre-Acrobat X / pre-2011 software) won't open V=5 R=6 files; modern Acrobat, Foxit, and most PDF libraries handle it transparently.

Granular permissions

Six flags, four presets, one custom mode

The six permission flags

Print, Modify content, Copy text and images, Add or modify annotations, Fill form fields, High-quality print. Each is a yes/no flag in the PDF's permissions bitmask, set at encryption time and enforced by the reader at view time.

View Only

No print, copy, edit, or annotate. The recipient can read the document on screen and nothing else. Right for sensitive proofs and review copies you don't want printed or extracted.

Print Only

Allow printing; block everything else. Right for distributable documents where printing is the intended use case (compliance posters, reference cards, public-facing forms) but content extraction is not.

No Editing

Allow print, copy, annotate, fill forms; block content modification. Right for templates and forms that should be filled and printed but not structurally altered.

Full Access

All permissions granted. Use when you want password-gated access (user password set) but no permission restrictions inside — "you need the password to open it, but once open you can do whatever you need".

Custom

Toggle each of the six flags independently. The presets cover most cases; Custom mode is for the edge cases — e.g. allow print but block high-quality print (low-res print only), allow copy but block annotations.

The other direction

Batch decrypt to remove existing protection

Sometimes the job is the reverse: an inherited archive of password-protected PDFs that need to be migrated to a new document management system, or a batch of forms that arrived encrypted from an external partner and need to be processed downstream. Decrypt mode removes the encryption layer from each file in the batch.

You must supply the correct user or owner password — PDF Batch Editor doesn't crack passwords, doesn't have a recovery mode, doesn't bypass them. With the correct password, the file decrypts cleanly and the output is a regular unprotected PDF. Without it, the file is skipped and the operation log records the failure. This is intentional: if a tool can decrypt PDFs without the password, the encryption is meaningless.

Use Cases

When every document needs protection

Client-Specific Distribution

A law firm encrypts 500 contracts with a per-client user password before emailing. Recipients need the password to open. AES-256, applied consistently across the batch, with the operation log recording every file processed.

Web-Ready Restricted PDFs

Marketing publishes 200 product spec sheets on the company website. Owner password set, Print Only preset applied. Anyone can read the documents online; no one can copy text or edit content. Files renamed with _WEB suffix for version control.

Archive Migration

IT migrates 300 password-protected legacy PDFs into a new DMS that requires plaintext. Decrypt mode strips encryption from the entire batch in minutes. Originals stay encrypted; decrypted copies land in the migration staging folder.

Frequently Asked Questions

What's the difference between user password and owner password?

The user password (also called the open password) is required to open and view the PDF. Without it, the file is unreadable. The owner password (permissions password) controls what someone who can open the file is allowed to do — print it, copy text out, edit it, fill forms, etc. You can set one, both, or neither: setting only the owner password produces a file that anyone can open but only the owner password holder can modify.

What does AES-256 V=5 R=6 actually mean?

PDF defines several encryption handlers, identified by V (algorithm version) and R (revision). V=5 R=6 is the AES-256 encryption handler introduced in PDF 2.0 — the strongest standard PDF encryption available. It uses AES in CBC mode with a 256-bit key, derives keys from passwords using a salt and iteration count that resist brute force, and is what every modern PDF reader expects from a securely-encrypted file.

Which permissions can I control individually?

Six permission flags: print, modify content, copy text and images, add or modify annotations, fill in form fields, and high-quality print. Each is a yes/no flag set in the PDF's permissions bitmask at encryption time. Most PDF readers honor these flags as soft restrictions (the encryption is enforced, but the readers voluntarily respect the permission flags); a determined user with a tool that ignores permissions can sometimes bypass them, which is why permissions are not a substitute for proper access control.

What are the permission presets?

Four scenario presets cover most cases: View Only (no print, copy, edit, or annotate), Print Only (allow print, block everything else), No Editing (allow print, copy, annotate, fill forms — block content modification), and Full Access (all permissions granted). Custom mode lets you toggle each of the six permission flags independently. The presets are the right starting point; Custom is for the edge cases.

Can I batch-remove passwords from already-encrypted files?

Yes. Switch to Decrypt mode, supply the correct user or owner password (you must already know it — there is no password recovery), and run. Each file in the batch is decrypted and the encryption is removed. Useful for migrating archives to new document management systems that need plaintext input, or for consolidating an inherited collection where each file has its own password.

Are encryption and digital signatures compatible?

Yes, but the order matters. Sign first, then encrypt — the signature is preserved inside the encrypted container and verifies after decryption. Encrypting first and then signing is also possible but more limited because the signing tool needs to read the file's structure. The Batch Pipeline makes the ordering explicit: sign upstream, encrypt as the final step.

PDF permission flags are honored by readers as a convention, not enforced by the file itself the way encryption is. Whether the resulting protection meets the security requirements of a particular regulatory framework or contractual obligation is a question for counsel and your security team. The information above describes the technical mechanism; it is not security advice.

Related operations

More tools in the PDF Batch Editor desktop suite — built for the same multi-file workflows.

Permanently redact sensitive text in PDFs →

Content-stream redaction for SSNs, emails, account numbers, and custom regex patterns. HIPAA, GDPR, and FOIA-ready.

Batch digitally sign PDFs with a certificate →

PFX/P12 certificate signing across hundreds of files. Visible or invisible signatures, timestamp server support, per-signer or shared certs.

Compress and optimize PDFs in batch →

Image downsampling, font subsetting, and unused-object removal. Web, Balanced, and Print profiles with before/after size reporting.

Chain PDF operations into automated pipelines →

Sequence redact, watermark, sign, and PDF/A into a single saved workflow you can run on demand across hundreds of files.

Protect every PDF in one click

AES-256 encryption with granular permissions at batch scale. Complimentary 14-day trial.

Download Complimentary Trial

Windows & macOS · No credit card required · All features included