5 min read
By ScoutMyTool Editorial Team · Last updated: 2026-05-28
Introduction
I have password-protected a lot of PDFs on Mac, and the right answer almost always comes from a tool that is already on the machine: Preview’s Export → Encrypt covers the common case, the Print → Save as PDF dialog adds permissions controls, qpdf via Terminal handles batches, and a browser-local tool covers the case where you want a web-style workflow without uploading the file anywhere. None of these requires Adobe Acrobat. The mechanics are simple; what trips people up is choosing the right method, picking a strong-enough password, and sharing it safely with the recipient. This guide walks through each free method, when to use it, what its limits are, and the password discipline around it.
Free Mac methods at a glance
| Method | Cost | Pros | Cons |
|---|---|---|---|
| Preview → File → Export → Encrypt | Free (built-in) | No install; quick | Open-password only; basic options |
| Print → PDF → Save as PDF → Security | Free (built-in) | Open + permissions controls | A few extra clicks; same engine |
| Browser-local tool (ScoutMyTool) | Free; processes locally | Open + permissions; no install | Internet to load page |
| Adobe Acrobat (paid) | Subscription | Most options; certificate-based encryption | Paid; heavyweight |
| Terminal — qpdf (Homebrew) | Free (command line) | Scriptable; batch-friendly | CLI; one-time install |
| iWork (Pages/Numbers) export with password | Free (built-in) | Useful if source is iWork | Only for iWork-originated PDFs |
| Google Drive — no native PDF password | n/a | n/a | Not supported; use one of the above |
Step by step — the three best free paths
Path A — Preview Export (simplest)
- Open the PDF in Preview (the macOS default).
- File → Export…
- Tick Encrypt, set a strong password, confirm it.
- Choose a destination and Save. Preview writes a password-protected copy.
- Verify by opening the new file — it should prompt for the password.
Path B — Print → Save as PDF (permissions too)
- Open the document in any app (Preview, Word, Pages, browser).
- File → Print, then click the PDF dropdown at the bottom of the print sheet and pick Save as PDF…
- Click Security Options…
- Set an open password (required to view), and optionally an owner password with permissions toggles (allow printing, allow copying, allow editing).
- Save. The protected PDF is a new file.
Path C — Browser-local (no install, batch-friendly UI)
- Open the in-browser Protect PDF tool — it processes locally in your browser tab; the file never uploads.
- Pick the PDF, set a strong password, set permissions.
- Download the protected copy. Drag in another file to repeat.
- To remove a password later, use Unlock PDF with the owner-supplied password.
Path D — qpdf in Terminal (batch via CLI)
- Install once:
brew install qpdf(Homebrew required). - One file:
qpdf --encrypt "user-pass" "owner-pass" 256 -- input.pdf output.pdf - Many files: wrap that command in a for-loop over the folder.
- Avoid putting the password in shell history — read it into a variable first.
Pitfalls that undermine the protection
- Weak password. A 6-character lowercase password is not protection. Use a 14+-char pass-phrase.
- Password in the same email as the file. Send out of band.
- Password in the file name. Defeats the encryption.
- No master copy. Lose the password and you lose the document.
- Old PDF with RC4 encryption. Re-encrypt with AES-256 if you need real strength.
- Cloud-upload PDF-protect tool for sensitive material — defeats the purpose.
- Treating the open password as the only safeguard for highly-sensitive material. Use additional controls (encrypted disk, restricted shared drive).
Related reading and tools
- Redacting confidential PDFs: when redaction is the right answer, not encryption.
- Signing PDFs: the integrity/attestation counterpart to confidentiality.
- Combining multi-doc packages: when to protect the assembled package.
- Protect PDF: in-browser password protection.
- Unlock PDF: removing a password with the owner-supplied password.
- Compress PDF: pair with protection for delivery-ready files.
- All ScoutMyTool PDF tools: the full toolkit.
FAQ
- What does Mac Preview actually do when I password-protect a PDF?
- Preview applies PDF encryption to the file using a user (open) password. With recent macOS versions the underlying encryption is reasonable for everyday use, but Preview only exposes the open-password (you cannot open the document without entering it) — it does not expose the granular permissions options (no printing, no copying, no editing) that some workflows need. Open Preview, open the PDF, choose File → Export, tick Encrypt, set a password, save. The exported file is the password-protected copy. Keep the unprotected master separately; Preview saves a new file when you Export, so the original is unchanged unless you specifically overwrite it.
- How do I use the Print → Save as PDF method with security?
- macOS's system print dialog can save any document as a PDF and offers password options that are slightly more granular than Preview's Export. From any PDF (or any printable document), choose File → Print, click the PDF dropdown at the bottom of the dialog, and pick Save as PDF. In the save sheet, click Security Options — you can set an open password (required to view) and an owner password (required to change permissions), plus toggles for whether printing and copying are allowed. The protected PDF is saved as a new file. This is the most useful built-in path when you want permission controls in addition to an open password.
- How strong is the password protection?
- PDF password encryption is reasonably strong against casual access — a colleague who finds the file on a shared drive cannot open it without the password — but it is not unbeatable, and the practical strength depends on (a) the encryption algorithm version the writing tool used (modern PDFs use AES-256 or AES-128; older PDFs used RC4-128 which is now considered weak) and (b) the strength of your password. A 14-character pass-phrase with mixed character classes is effectively uncrackable in any practical sense against any consumer attack; a 6-character lowercase password is not. Treat PDF password protection as a "reasonable everyday lock" — use it freely for routine confidentiality, but do not rely on it as the only protection for highly-sensitive material.
- Can I batch-password-protect many PDFs at once?
- Yes, via Terminal with qpdf. Install qpdf via Homebrew (brew install qpdf), then use a one-liner to encrypt every PDF in a folder with the same password. The basic invocation is qpdf --encrypt user-password owner-password 256 -- input.pdf output.pdf for one file; wrap it in a small for-loop over a folder for the batch. This is exactly the case where the CLI shines over Preview: you do not want to click through Preview 200 times. Keep the password out of the shell history (use a variable read from input rather than typing it inline), and keep an unencrypted master copy of each input.
- What if I forget the password?
- Forgetting an open password is essentially permanent — that is what the encryption is for. There is no general unlock; password-recovery tools work by brute-force guessing and only succeed against weak passwords. Practical advice: (1) keep an unencrypted master copy of every PDF you encrypt, stored securely with the rest of your sensitive material; (2) store the password in a password manager (1Password, Bitwarden, the macOS Keychain) rather than on a sticky note or in the file name; (3) if you only need protection for the duration of an email-and-respond exchange, choose a memorable but strong pass-phrase you can communicate to the recipient out of band. Losing the password and losing the master copy at the same time is the failure mode to avoid.
- How do I share the password with the recipient safely?
- Send the password and the protected PDF on different channels — that is the entire point of the separation. If you email the PDF, send the password by text message, signal/Whatsapp, a phone call, or in person. Do not include the password in the same email as the file, and do not include it in the filename or document metadata. If you have to send by email-only, send the PDF in one email and the password in a separate email; this is weaker than out-of-band but better than including both in one place. For recurring relationships, agree a long-term shared pass-phrase out of band once, and then use it across multiple files without retransmitting.
- Is it safe to use an online tool to protect the PDF?
- It depends on the tool. Many online PDF-protect services upload your file to a server, apply the password there, and return the result; for confidential material that is exactly the wrong workflow. ScoutMyTool applies the password entirely in your browser tab — the PDF never leaves your machine — which gives you the convenience of a web tool with the privacy of a local operation. For any sensitive PDF, confirm before using that the tool processes locally.
Citations
- Wikipedia — “PDF — Security and signatures,” how PDF password protection works. en.wikipedia.org — PDF security
- Wikipedia — “Advanced Encryption Standard,” the AES algorithm modern PDF encryption uses. en.wikipedia.org/wiki/AES
- Wikipedia — “qpdf,” the open-source command-line PDF tool used in Path D. en.wikipedia.org/wiki/Qpdf
Protect a PDF in your browser — without uploading it
Apply a strong open password and granular permissions entirely in your browser with ScoutMyTool — the file never leaves your machine.
Open Protect PDF →