Common myths and the realities

Step by step — secure a PDF properly

1. Decide what threat you are defending against.Casual interception by an unauthorised email recipient? Document forwarding by an authorised reader? Sophisticated targeted attack? The threat model determines which controls are sufficient.
2. For routine business confidentiality: AES-256 user password with a strong 12+ character passphrase. Transmitted out of band (SMS or Signal for the password, email for the file). Treats opportunistic interception as the threat; sufficient for most cases.
3. For sensitive content with PII: Add destructive redaction of PII first; then AES-256 with strong password; then metadata strip. Multiple layers because the threat model is more serious and each layer addresses a different failure mode.
4. For high-stakes confidential (M&A, legal evidence, etc.):All of the above plus expiry-based sharing links rather than direct email; per-recipient watermarks for traceability; access logging on the storage system; consider DRM if the threat model includes determined post-disclosure leak.
5. Verify your security choices. Test the password protection by trying to open in a different reader; test the redaction by attempting to select-copy the redacted region; test the metadata strip by inspecting File → Properties. The verification step catches the common implementation mistakes.

What you cannot protect against

Three categories of threat that no PDF security technique addresses. First, screenshot of the open file — any user who can see the content can capture it. Watermarks deter casual screenshot redistribution by making the source identifiable; they do not prevent the capture itself. Second, authorised-user-turned-attacker — a recipient with legitimate access can copy, paraphrase, or share the content via any channel that does not include the PDF. DRM and access controls slow this but cannot prevent it. Third, compromised endpoints — if the recipient's machine is malware-infected, anything the recipient sees can be exfiltrated regardless of PDF controls. Endpoint security is a separate layer from document security.

The practical implication: PDF security is part of a broader security posture, not a substitute for it. Documents that are highly sensitive need both PDF-level controls and policy-level controls (who gets access, how access is logged, what happens after a leak). Treating PDF encryption as the whole answer leads to preventable failures; treating it as one layer among several is the working pattern.

Related reading

• PDF security guide: deeper coverage of encryption tiers.
• PDF redaction guide: true vs annotation redaction.
• Share PDFs securely: layered security for sensitive sharing.
• PDF security audit: organisational compliance checklist.
• Password-protect a PDF: practical AES-256 in 30 seconds.

FAQ

What is the difference between "user password" and "owner password"?

User password (also called "open password") is required to open the PDF — without it, no viewer can decrypt the content. The encryption is real and a strong user password with AES-256 is computationally infeasible to brute-force. Owner password (also called "permissions password") is supposed to restrict what the recipient can do after opening — block printing, copy-paste, modification. The owner-password restrictions are widely ignored: most modern PDF editors (Acrobat Pro, PDFsam, qpdf, even some free online tools) honour the restrictions only superficially and offer one-click bypass. Treat user password as actual security; treat owner password as a polite request that may or may not be respected.

How weak is the "black rectangle" redaction myth?

Devastatingly weak. Drawing a black rectangle annotation over sensitive text leaves the underlying text in the PDF content stream — the rectangle is metadata layered above the text, not a replacement of the text. Anyone with Acrobat Pro, PDFsam, or any decent PDF parser can extract the original content. Multiple high-profile cases involved exactly this failure: the January 2019 Paul Manafort defense filing, whose box-drawn "redactions" were defeated by copy-pasting the text beneath them; Reality Winner 2017 NSA documents (printer tracking dots leaked source identity); various smaller cases of public records released with annotation-redactions that revealed names and SSNs. For real redaction, use destructive redaction tools (Acrobat Pro Apply Redactions, ScoutMyTool Redact PDF) that remove the underlying text, not just hide it.

Is AES-256 truly unbreakable?

The algorithm itself is currently considered cryptographically sound — no practical attack exists against properly-implemented AES-256. The weak links are elsewhere. First, password strength: AES-256 is only as strong as the password used to derive the key; a 6-character password is brute-forceable regardless of the underlying algorithm. Use 12+ character passwords with mixed character classes. Second, password transmission: emailing the password in the same channel as the encrypted file defeats the purpose. Third, key management: if the password is reused across many documents and one leaks, all encrypted documents are at risk. Fourth, future quantum-computing risks may eventually weaken AES; the timeline is unclear but a decade plus.

What about PDF DRM — Locklizard, Adobe Experience Manager, others?

DRM platforms (Locklizard Safeguard, Adobe Experience Manager Forms / DRM, FileOpen) provide access controls beyond basic encryption — per-recipient permissions, expiry dates, view-count limits, prevention of printing and copying enforced at the reader level. Effective when: the recipient uses the DRM-compliant reader (often a vendor-specific viewer or plugin); the threat model is preventing accidental redistribution rather than determined attack. Ineffective when: the recipient screenshots the screen (no DRM prevents this); the recipient runs the file in a non-compliant viewer (sometimes possible); the underlying cryptography has implementation flaws. DRM raises the cost of unauthorised redistribution but does not make it impossible.

What is the most-overlooked PDF security risk?

Metadata leakage. PDFs carry author name, creation timestamps, software-used identifiers, and (in tagged or processed PDFs) edit history. These fields routinely identify the source of a document, the workflow it went through, or other contextual information the author did not intend to publish. Before publishing or sharing externally, strip metadata. Acrobat Pro: File → Properties → blank Author / Subject; Tools → Redact → Sanitize Document (this removes hidden metadata, edit history, scripts). ScoutMyTool PDF Metadata Editor: blank or replace each field, save. Command line: `exiftool -all= file.pdf`. The strip step takes 30 seconds and prevents the kind of leak that gets identified months later in adversarial analysis.

Citations

1. NIST — FIPS 197, the Advanced Encryption Standard (AES)
2. NIST — Special Publication 800-38A, block cipher modes of operation
3. OWASP — Cryptographic Storage Cheat Sheet
4. ISO — 32000-1:2008, PDF specification (encryption in §7.6)