Skip to content
reader.me

PDF encryption explained: what AES-128 really protects

What it means to encrypt a PDF, how AES-128 works, the difference between an open password and permissions, and what password protection does and doesn't cover.

AG Antonia González · July 14, 2026 · 7 min read

You put a password on a PDF and the file feels safe now. But what did the password actually do? PDF encryption gets thrown around like a magic word, and most people never find out what it covers or where it stops. Here’s the plain version.

What “encrypting a PDF” means

A PDF is a container of objects: text, images, fonts, page layout. When you encrypt it, the bytes of that content get scrambled with a cipher, and the only way to read them back is with the right key. Open the file in a text editor before encryption and you can spot strings of readable content. Encrypt it and that same area turns into noise.

The password you type isn’t the key itself. The PDF format runs your password through a key-derivation step that produces the actual encryption key. That’s why a longer, less obvious password matters: the file is only as hard to crack as the password feeding the key.

AES-128 is the engine — and that’s the honest number

reader.me’s Protect PDF tool encrypts with AES-128. Not AES-256. We’d rather tell you the real number than print a bigger one on a banner.

AES stands for Advanced Encryption Standard, the cipher governments and banks settled on years ago. The 128 is the key length in bits. A 128-bit key has 2^128 possible values, which is a number so large that brute-forcing it isn’t a realistic attack with any hardware that exists. AES-256 uses a longer key, and people often assume that makes it “twice as safe.” It doesn’t work that way. AES-128 has no practical break. The weak point in a password-protected PDF is almost never the cipher. It’s the password.

If you want the deeper mechanics, the AES encryption glossary entry walks through key sizes and rounds without the marketing gloss.

So when someone hands you a PDF locked with a six-letter dictionary word, AES-256 wouldn’t save it. An attacker doesn’t attack the math. They guess the password. A long passphrase on AES-128 beats a weak password on AES-256 every time.

Open password vs permissions

PDF security comes in two flavors, and mixing them up leads to a false sense of safety.

An open password (sometimes called a user password) is the real lock. Without it, the file won’t open at all. The content stays encrypted on disk and nobody reads a word until the password is entered. This is the protection worth caring about.

A permissions password (the owner password) is different. The file opens for anyone, but it carries flags that ask the viewer to block printing, copying, or editing. The catch: those flags are requests, not walls. The document is technically readable, and plenty of software ignores the restrictions entirely. Permissions are a politeness layer. They keep an honest user from printing, but they won’t stop someone determined to extract the text.

So if your goal is to keep a document private, you want an open password. That’s what encrypts the content. Permissions alone leave the file readable to anything that chooses not to honor them.

What it protects, and what it doesn’t

Password protection with AES-128 does a specific job well. It makes the file useless to anyone who gets a copy but doesn’t have the password. Email gets forwarded to the wrong person, a USB stick goes missing, a shared drive is too open. In all of those, an encrypted PDF is a locked box. That’s real protection for an invoice, a contract, a medical record, or an ID scan.

What it doesn’t do:

  • It doesn’t protect a file that’s already open. Once someone types the password, the content is decrypted in memory and on screen. They can screenshot it, copy it, or save an unprotected copy.
  • It doesn’t hide that the file exists or its name, size, or metadata in some cases.
  • It doesn’t fix a weak password. Short or common passwords can be guessed offline, and no cipher rescues a bad one.
  • It doesn’t survive being shared with the password. If you email both in the same thread, you’ve locked the door and taped the key to it. Send the password through a separate channel, like a phone call.

And if a file lands on your desk already locked and you hold the password, you can remove it locally with Unlock PDF so the document is easier to work with, no upload involved.

It happens on your machine

Here’s the part that matters for a privacy-first tool. All of this encryption runs in your browser. Your PDF is read into memory, encrypted with AES-128 right there on your device, and written back out as a new locked file you download. It never gets sent to a server. The password never leaves your machine, because there’s nowhere for it to go.

That’s the whole point. The most private way to encrypt a document is to never let it travel in the first place. Lock it where it lives, then share the locked copy on your own terms.