PDF encryption explained
When you password-protect a PDF with an open password, the file is genuinely encrypted — scrambled so it's unreadable without the key. Here's what that means in practice.
From password to key
Your password isn't the encryption key directly. A key-derivation function (like PBKDF2) stretches it into a proper cryptographic key, deliberately running many thousands of iterations to make brute-force guessing slow. Modern PDFs use AES-256, a strong, widely trusted cipher.
What's protected — and what isn't
- Protected: the document's contents. Without the password, the bytes are meaningless.
- Not always protected: some metadata can be left readable depending on settings, and permissions restrictions (no printing/copying) rely on the reader cooperating.
Strength depends on the password
AES-256 is effectively unbreakable by brute force — but only if the password is. A weak password undoes strong encryption, because attackers guess the password, not the cipher. This is why passphrases matter.
Encrypt where the file lives
The safest encryption happens on your own machine, so the unencrypted document is never transmitted. FreshPDF uses the browser's built-in Web Crypto API (PBKDF2 + AES-256-GCM) to protect files locally — see client-side vs cloud for why that matters.
Put it into practice — free
Edit, sign, merge, redact, OCR and convert PDFs right in your browser. No upload, no account.
Open the FreshPDF app