PDF permissions vs. encryption: What every developer needs to know

Hulya Masharipov

June 3, 2025

In this blog post, you’ll learn how PDF permissions and encryption work, why each matters for protecting documents, and how to implement strong PDF security practices using Nutrient SDKs across different platforms.

PDF permissions vs. encryption: What every developer needs to know

TL;DR

PDF permissions control how users interact with a document after opening it, such as printing or editing, while encryption safeguards the file from unauthorized access entirely. Implement a user password to secure access and an owner password to manage permitted actions. Nutrient SDKs empower developers to apply robust protection across web, mobile, and server environments with industry-standard AES encryption.

Why protecting content has always mattered

Since ancient times, people have sought ways to protect information. Early civilizations used techniques like non-standard hieroglyphs and the Caesar cipher to obscure communication. By the 19th century, advances in mathematics led to the birth of modern cryptography. Today, these principles underpin the encryption technologies that protect our digital documents, including PDFs.

When it comes to PDFs, understanding the difference between encryption(opens in a new tab) and permissions is crucial for securing information effectively. Especially when setting a PDF permissions password, developers must know how these protection mechanisms work, along with their limitations.

Understanding encryption

Encryption(opens in a new tab) transforms a PDF’s contents into an unreadable format unless the correct password is provided, shielding sensitive data like text, forms, and images from unauthorized access.

While not every byte is encrypted, the critical content is, ensuring confidentiality and document integrity. Today, PDFs are secured using passwords, certificates, or server-driven rights management, making digital document protection efficient and reliable.

Learn more: How secure is your PDF handling? Exploring encryption features in PDF SDKs

Password-based security explained

Password protection remains the most accessible and widely adopted method for securing PDFs. The gold standard for encryption strength today is the 256-bit AES cipher.

You can secure a PDF in two distinct ways:

Set a user password to control access to the document.
Set an owner password to regulate permissible actions within the document.

It’s essential to use different values for these passwords to maintain robust security.

What is a user password (open password)?

The user password is required to open and view a document. Internally, the password is used to derive a decryption key that unlocks the protected content. Once authenticated, users have full access — subject to any owner-imposed permissions.

What is an owner password (permissions password)?

The owner password allows the document creator to define restrictions on user actions, such as preventing printing, copying, or editing. Unlike encryption, permission enforcement relies on the integrity of PDF viewer applications, meaning not all software will honor these restrictions.

Critical insights include:

Both passwords exist in the encryption structure.
Either password technically decrypts the document.
Reusing the same string for both passwords weakens the protection.

Importantly, once a user opens a document with the user password, a non-compliant viewer could ignore the permissions — highlighting the difference between access control and action control.

How to encrypt a PDF

To encrypt a PDF:

Set a user password — This encrypts the entire file, making it inaccessible without the password.
Choose an encryption strength — Options typically include 128-bit or 256-bit AES encryption.

Understanding PDF permissions

PDF permissions define what users can do with a document after gaining access. These restrictions are enforced based on the owner password.

The main permission types include:

Permission	Capability
Print	Allow low-resolution printing (rasterized output).
Modification	Enable editing of document content.
Extract content	Permit copying text or images to another application.
Add annotations and form fields	Allow users to comment or insert form fields.
Fill form elements	Enable users to complete interactive form fields.
Extract text and graphics for accessibility	Support screen readers and accessibility extraction.
Assemble the document	Permit page manipulation such as inserting or deleting pages.
Print with high quality	Allow full-resolution, high-quality printing.

Permissions are set using an owner password. Users without the owner password can still open the document if no user password is set, but they’ll be limited by the permissions applied, assuming their PDF viewer respects these restrictions.

How to add permissions to a PDF

To add permissions:

Set an owner password — This allows you to define and lock specific permissions.
Specify allowed actions — Decide what operations users are permitted to perform.

Using Nutrient’s SDKs, you can easily set these permissions during the PDF saving or building process by passing parameters that enable or disable specific functionalities.

How to encrypt PDFs and set permissions using Nutrient SDKs

.NET SDK

To save a password-protected PDF with permissions using Nutrient .NET SDK, you can use the SaveToStream method of the GdPicturePDF class:

using GdPicturePDF gdPicturePDF = new GdPicturePDF();
// Create an empty `Stream` object.
MemoryStream streamPDF = new MemoryStream();
// Load a PDF document to GdPicture.
gdPicturePDF.LoadFromFile(@"C:\temp\source.pdf");
// Save the loaded PDF document to the stream with password-protection enabled.
gdPicturePDF.SaveToStream(streamPDF, PdfEncryption.PdfEncryption128BitAES, "", "owner",
    CanPrint: true,
    CanCopy: true,
    CanModify: false,
    CanAddNotes: false,
    CanFillFields: true,
    CanCopyAccess: false,
    CanAssemble: false,
    CanPrintFull: false);

Learn more: Saving a password-protected PDF to a stream

iOS SDK

For iOS applications, Nutrient provides comprehensive support for adding password protection to PDF documents.

With iOS, you can use the Document.SecurityOptions class:

do {
  let documentSecurityOptions = try Document.SecurityOptions(ownerPassword: password, userPassword: password, keyLength: Document.SecurityOptionsKeyLengthAutomatic, permissions: [.annotationsAndForms])
} catch {
  // Handle error.
  return
}
guard let processorConfiguration = Processor.Configuration(document: document) else {
  return
}

// Create a processor and write the file with the permissions applied.
let processor = Processor(configuration: processorConfiguration, securityOptions: securityOptions)
try processor.write(toFileURL: outputFileURL)

Learn more: Customizing PDF editing permissions on iOS

Web SDK

Nutrient Web SDK fully supports password-protected PDFs. You can programmatically set passwords and permissions or prompt users to enter passwords when opening documents. The Web SDK works with all major JavaScript frameworks, including React, Angular, Vue, and Svelte.

To encrypt a PDF and set permissions using Nutrient Web SDK, use the exportPDF() method:

instance.exportPDF({
  permissions: {
    userPassword: 'userp@ssw0rd',
    ownerPassword: 'ownerp@ssw0rd',
    documentPermissions: [
      PSPDFKit.DocumentPermissions.annotationsAndForms,
      PSPDFKit.DocumentPermissions.assemble,
      PSPDFKit.DocumentPermissions.extract,
      PSPDFKit.DocumentPermissions.extractAccessibility,
      PSPDFKit.DocumentPermissions.fillForms,
      PSPDFKit.DocumentPermissions.modification,
      PSPDFKit.DocumentPermissions.printHighQuality,
      PSPDFKit.DocumentPermissions.printing,
    ],
  },
});

Our guide on password protection in PDFs provides details on implementing this functionality in web applications.

Explore Web Demo

Protecting PDFs with a password in MAUI

In MAUI, you can create a password-protected PDF by loading a source document and exporting it with updated permissions:

var document = await PDFView.Controller.LoadDocumentAsync("source.pdf", PDFView.Controller.CreateViewerConfiguration());

var exportConfiguration = document.CreateExportConfiguration();
exportConfiguration.Permissions.UserPassword = "u$erp@ssw0rd";
exportConfiguration.Permissions.OwnerPassword = "u$ownerp@ssw0rd";

var outputDocument = await document.ExportDocumentAsync(exportConfiguration);

UserPassword specifies the password needed to open the document.
OwnerPassword grants full access and control over permissions.

For more details, refer to the MAUI SDK documentation.

Android SDK

For Android, you can set permissions and encrypt a PDF when saving a document using the DocumentSaveOptions object:

val saveOptions = document.getDefaultDocumentSaveOptions()
saveOptions.setPermissions(EnumSet.of(DocumentPermissions.ANNOTATIONS_AND_FORMS))

document.save(documentPath, saveOptions)

Learn more: Manage PDF document permissions on Android

You can also secure a PDF document when generating reports:

val task: PdfProcessorTask = ...
val outputFile: File = ...

// Set password and permissions.
val password = "yourSecurePassword"
val saveOptions = DocumentSaveOptions(
    password,
    EnumSet.of(DocumentPermissions.PRINTING),
    false,
    null
)

// Process the document with security options.
PdfProcessor.processDocument(task, outputFile, saveOptions)

This example shows how to add a password and set the printing permission when processing a document.

Working with password-protected PDFs using Document Engine

Document Engine enables you to perform operations on password-protected PDFs and secure output documents with passwords.

Uploading a password-protected PDF

Supply the document password using the pspdfkit-pdf-password HTTP header:

curl -X POST http://localhost:5000/api/documents \
  -H "Authorization: Token token=<API token>" \
  -H "pspdfkit-pdf-password: document-password" \
  -F file=@/path/to/example-document.pdf

Building with password-protected PDFs

When merging or modifying PDFs, include the password in the FilePart configuration:

curl -X POST http://localhost:5000/api/build \
  -H "Authorization: Token token=<API token>" \
  -F document=@/path/to/example-document.pdf \
  -F password-document=@/path/to/example-password-document.pdf \
  -F instructions='{
  "parts": [
    { "file": "document" },
    { "file": "password-document", "password": "123456" }
  ]
}' \
  -o result.pdf

PDFs generated with /api/build are unprotected by default. If needed, apply password protection to output files following the Document Engine output password guide.

Security implementation across platforms

Across all platforms, Nutrient combines AES encryption with password protection:

128-bit AES encryption
256-bit AES encryption

When a password is set on a PDF, Nutrient automatically applies AES encryption, ensuring the document is protected and inaccessible without the correct password. By default, Nutrient uses the strongest available encryption algorithm to secure documents across iOS, Android, and Web platforms.

Our section on a combined security approach details how Nutrient implements this security model across platforms.

Each platform implementation honors the same PDF permissions model, allowing you to control what users can do with documents, including printing, copying text, modifying content, and adding annotations.

Conclusion

Setting a PDF permissions password offers a practical layer of document control, but it isn’t a bulletproof security measure. Developers must understand both the strengths and limitations of PDF encryption and permissions.

If you’re using Nutrient SDKs, implementing these protections is easy — just remember that for truly sensitive data, additional security measures outside the PDF specification might be necessary.

For a real-world example of how organizations leverage Nutrient’s encryption and permissions capabilities, check out the Mobile Helix case study.

Need a deep-dive into securing your PDFs? Check out Nutrient’s comprehensive guides and learn how to implement robust document protection in your applications.

FAQ

What is the difference between a user password and an owner password?

A user password is needed to open and view a PDF document. An owner password restricts actions like printing, editing, or copying content.

Can PDF permissions be bypassed?

Yes. While most PDF viewers honor permissions, some software can ignore them, meaning permissions should not be solely relied upon for security.

Is PDF password protection considered secure?

PDF password protection using AES encryption is strong for access control, but permission restrictions aren’t enforceable at a cryptographic level.

Does setting a user password automatically encrypt a PDF?

Yes. Setting a user password encrypts the PDF file using the specified encryption strength (128-bit or 256-bit AES).

Which Nutrient SDKs support password protection?

Password protection is supported across the Web SDK, the iOS SDK, the Android SDK, Document Engine, and SharePoint integrations.

Explore related topics

Products Security SDK