DEV Community

Allen Yang
Allen Yang

Posted on

Encrypt and Decrypt PDF Documents Using Python

Encrypt and Decrypt PDF Documents Using Python

In enterprise document management and information security, protecting PDF documents is a critical concern. Whether it's contracts, financial reports, or internal technical documentation, encryption is needed to prevent unauthorized access and tampering. Manually setting passwords on each document is not only time-consuming but also difficult to integrate into automated workflows.

Python provides a programmatic approach to batch-encrypt and decrypt PDF documents. By controlling password settings, encryption algorithm selection, and permission assignment through code, document security policies can be standardized and embedded into existing document processing pipelines. This article covers how to implement PDF encryption, permission control, and decryption using Python.

Environment Setup

This article uses the Spire.PDF for Python library to work with PDF files. Install it via pip:

pip install Spire.PDF
Enter fullscreen mode Exit fullscreen mode

Import the required modules in your script:

from spire.pdf import *
Enter fullscreen mode Exit fullscreen mode

Core Concepts of PDF Encryption

Before writing any code, it's important to understand several key concepts in the PDF encryption system:

  • User Password: The password required to open the document. Once a user password is set, anyone without the password will be unable to view the document's contents.
  • Owner Password: The password that controls document permissions. Users with the owner password can modify the document's security settings and permissions.
  • Encryption Algorithm: PDF supports multiple encryption standards, including RC4 (40-bit and 128-bit), AES-128, and AES-256. The stronger the algorithm, the better the security.
  • Document Permissions: Controls whether users can perform specific operations on the document, such as printing, copying text, or filling out forms.

In Spire.PDF, all of these settings are managed through the PdfPasswordSecurityPolicy class.

Encrypt a PDF Using RC4

The most basic form of encryption involves setting both a user password and an owner password on the PDF. The following example uses the RC4-128 bit encryption algorithm and allows printing and form filling:

from spire.pdf import *

# Load the PDF document
doc = PdfDocument()
doc.LoadFromFile("input.pdf")

# Create a security policy with user and owner passwords
securityPolicy = PdfPasswordSecurityPolicy("open", "test")

# Set the encryption algorithm to RC4-128 bit
securityPolicy.EncryptionAlgorithm = PdfEncryptionAlgorithm.RC4_128

# Define document permissions: forbid all, then selectively enable
dp = PdfDocumentPrivilege.ForbidAll()
dp.AllowPrint = True
dp.AllowFillFormFields = True
securityPolicy.DocumentPrivilege = dp

# Apply the encryption policy
doc.Encrypt(securityPolicy)

# Save the document
doc.SaveToFile("Encrypted_RC4.pdf")
Enter fullscreen mode Exit fullscreen mode

The key logic in this code is the permission control section. ForbidAll() first sets all permissions to denied, then specific operations are enabled by setting AllowPrint and AllowFillFormFields to True. This "deny by default, grant selectively" approach is more secure than "allow by default, deny selectively," as it avoids accidentally leaving some permissions unblocked.

Increase Security with AES Encryption

AES (Advanced Encryption Standard) is a widely recognized encryption algorithm in the industry and offers stronger security than RC4. Spire.PDF supports both AES-128 and AES-256 key lengths:

from spire.pdf import *

# Load the PDF document
pdfDocument = PdfDocument()
pdfDocument.LoadFromFile("input.pdf")

# Create a security policy
securityPolicy = PdfPasswordSecurityPolicy("123456789", "M123456789")

# Use the AES-128 encryption algorithm
securityPolicy.EncryptionAlgorithm = PdfEncryptionAlgorithm.AES_128

# Forbid all permissions, allow printing only
securityPolicy.DocumentPrivilege = PdfDocumentPrivilege.ForbidAll()
securityPolicy.DocumentPrivilege.AllowPrint = True

# Encrypt and save
pdfDocument.Encrypt(securityPolicy)
pdfDocument.SaveToFile("Encrypted_AES128.pdf")
pdfDocument.Close()
Enter fullscreen mode Exit fullscreen mode

Note that AES encryption requires a user password of at least 8 characters. If the password is too short, the encryption operation may fail. In production environments, it is recommended to use strong passwords that include uppercase and lowercase letters, numbers, and special characters.

High-Level Encryption with AES-256

For documents containing sensitive business data or personal information, AES-256 provides the highest level of encryption protection:

from spire.pdf import *

doc = PdfDocument()
doc.LoadFromFile("input.pdf")

# No user password (left empty), owner password only
securityPolicy = PdfPasswordSecurityPolicy("", "test")

# Use AES-256 encryption
securityPolicy.EncryptionAlgorithm = PdfEncryptionAlgorithm.AES_256

# Set permissions: allow degraded printing and form filling
dp = PdfDocumentPrivilege.ForbidAll()
dp.AllowDegradedPrinting = True
dp.AllowFillFormFields = True
securityPolicy.DocumentPrivilege = dp

doc.Encrypt(securityPolicy)
doc.SaveToFile("Encrypted_AES256.pdf")
Enter fullscreen mode Exit fullscreen mode

There is a notable detail in this code: the user password is set to an empty string. This means anyone can open the document and view its contents, but the document's operational permissions (printing, copying, etc.) are protected by the owner password. This configuration is suitable for documents that need to be widely distributed but require restrictions on editing and copying.

The difference between AllowDegradedPrinting and AllowPrint is that degraded printing produces lower-resolution output, preventing high-quality document reproduction — ideal for protecting content that contains intellectual property.

Decrypt a PDF Document

Decryption requires knowledge of the owner password (or user password). Pass the password when loading the document, then call the Decrypt() method:

from spire.pdf import *

# Load the encrypted PDF using the owner password
doc = PdfDocument()
doc.LoadFromFile("Encrypted_RC4.pdf", "test")

# Decrypt the document
doc.Decrypt()

# Save as an unencrypted PDF
doc.SaveToFile("Decrypted.pdf")
Enter fullscreen mode Exit fullscreen mode

If the document was opened with the user password, the owner password must also be provided for decryption:

# Load using the user password
doc.LoadFromFile("Encrypted_RC4.pdf", "open")

# Pass the owner password to decrypt
doc.Decrypt("test")

doc.SaveToFile("Decrypted.pdf")
Enter fullscreen mode Exit fullscreen mode

Once decrypted, the PDF document will no longer be protected by any passwords or permissions and can be opened and edited normally.

Available Permissions at a Glance

PdfDocumentPrivilege provides a range of permission control options. Here are the commonly used permission properties:

  • AllowPrint: Allows high-quality printing
  • AllowDegradedPrinting: Allows degraded (low-resolution) printing
  • AllowCopy: Allows copying document content
  • AllowFillFormFields: Allows filling in form fields
  • AllowModifyContents: Allows modifying document content
  • AllowComment: Allows adding comments

By combining these permissions thoughtfully, you can create differentiated security policies for different document types. For example, reports distributed to clients can allow printing but prohibit copying; internal forms can allow filling but prevent other modifications.

Practical Tips

Choosing an encryption algorithm: RC4-128 offers good compatibility and is suitable for scenarios that require backward compatibility with older PDF readers. AES-128 is sufficient for most everyday needs. AES-256 is recommended for documents containing highly sensitive information. In scenarios where security requirements are not particularly strict, AES-128 is more than adequate.

Batch encryption: When you need to apply the same encryption to multiple PDFs in a folder, combine this with Python's os or pathlib module to iterate through files and apply a uniform security policy. Owner and user passwords can be managed via configuration files or environment variables to avoid hardcoding them in scripts.

Password management best practices: In real-world projects, passwords should not be written directly in source code. Use environment variables, configuration files, or key management services to store passwords and reduce the risk of credential exposure.

Conclusion

This article covered the complete approach to encrypting and decrypting PDF documents using Python, including the use of RC4, AES-128, and AES-256 encryption algorithms, as well as the configuration of user passwords, owner passwords, and document permissions. These capabilities have broad practical value in document security management, automated report generation, and content protection scenarios.

Combined with other Spire.PDF features such as watermarking, text replacement, and form handling, you can build more comprehensive document security automation solutions.

Top comments (0)