PDF Encryption Explained: AES-128 vs AES-256 and What Actually Matters

The last twenty-five years of PDF encryption have been a quiet arms race most users never noticed. You open a protected file, you type a password, it works or it does not. But behind that prompt the document is using one of four different cryptographic schemes, each with a different security posture, and which one it uses depends on which version of the PDF spec the author's software targeted. Sometimes it matters. Sometimes it does not. This post explains how to tell the difference.

PDF encryption is also almost universally misunderstood in one specific way — people assume "password-protected" means one thing, when in fact the PDF spec defines two separate password types that do very different jobs. We cover that below, along with how to check the encryption of any file in your possession and when the 128-versus-256 decision is worth caring about.

A quick history of PDF encryption

Each jump in the spec brought a different cipher. Here is the rough timeline, with the corresponding spec version in parentheses:

• RC4 40-bit (PDF 1.1, 1996). Breakable on a modern laptop in under an hour. Still encountered in very old archived files.
• RC4 128-bit (PDF 1.4, 2001). Much stronger, but RC4 itself is now considered cryptographically broken for any serious use. Microsoft, Google, and most browsers deprecated RC4 for TLS around 2015.
• AES-128 (PDF 1.6, 2004). First use of AES in the PDF standard. The block cipher is modern and well-studied; the PDF-specific key-derivation around it was the weak point for a while.
• AES-256 (PDF 1.7 Extension 3, 2008, then revised). Present-generation encryption. Used with a revised key-derivation function in PDF 2.0 (ISO 32000-2, 2020) that fixed earlier issues.

If a file is more than a few years old and was encrypted at the time, it is likely using RC4 or AES-128. Files produced by recent versions of Acrobat, Word, or a properly configured server-side tool since roughly 2017 default to AES-256.

What "128" and "256" actually mean

The number is the length, in bits, of the secret key the algorithm uses to scramble the document. AES-128 uses a 128-bit key; AES-256 uses a 256-bit key. Both are variants of the same underlying cipher, standardized by NIST as FIPS 197 in 2001 and used everywhere from TLS to full-disk encryption.

A 128-bit key has 2^128 possible values — roughly 3.4 x 10^38. A 256-bit key has 2^256, or 1.15 x 10^77. The difference is not "twice as strong." It is an exponential gap so vast that a classical brute-force attack against AES-128 is already infeasible with any plausible amount of energy, and AES-256 buys additional headroom against future hardware and against quantum attacks, which (in theory) halve the effective key length.

For practical purposes: both are unbreakable by brute force with present technology. The weak link in a PDF is never the cipher. It is almost always the password.

User password vs owner password

This is the single most under-appreciated fact about PDF security. Every encrypted PDF can carry two passwords, with different meanings:

• User password (sometimes called the "open password"). Required to open and view the file at all. Without it, the PDF is unreadable.
• Owner password (sometimes called the "permissions password"). Does not block opening. Controls what you can do with the file once opened — print, extract text, annotate, edit.

A file can have either, both, or neither. The common consumer confusion: you set a password when saving a PDF, share it, and assume that password is what the recipient needs to view. Sometimes it is. But if the tool set it as the owner password only, the file opens with no prompt at all, and the "protection" is just a set of polite flags asking viewers not to let users print or copy. Those flags are widely ignored — most PDF viewers honor them, but any halfway-serious tool can strip them in seconds. qpdf, the canonical command-line PDF manipulation tool, removes permission restrictions as a one-liner:

qpdf --decrypt input.pdf output.pdf

If your goal is to keep strangers from reading a document, the user password is what you want. Owner passwords are a soft restriction at best.

How to check what encryption a PDF uses

Three options, in order of convenience:

Adobe Acrobat Pro. File → Properties → Security tab. Shows the encryption method and key length explicitly — "AES 256-bit" or "RC4 128-bit" etc.

Command-line pdftotext or pdfinfo. Part of the Poppler toolkit, available on every Linux distro and via Homebrew on macOS. Run pdfinfo yourfile.pdf and look for the Encrypted: line. It will report something like AES-256 or V 5.R 6 (where V is the encryption version and R is the revision — V=5 R=6 means AES-256 with the revised PDF 2.0 key derivation).

qpdf. The most rigorous option. qpdf --show-encryption yourfile.pdf prints the full breakdown: algorithm, key length, which permissions are restricted, and whether user and owner passwords are set.

If you do not have any of these tools installed, the simplest heuristic: a PDF saved from recent Microsoft Office, Acrobat DC, or LibreOffice 7+ is almost certainly AES-256. A PDF from pre-2010 software is almost certainly RC4 or AES-128.

When does AES-256 actually matter

Honestly, rarely. For almost any civilian threat model — keeping a tax return away from a nosy coworker, sending a contract that should not be read by someone who finds the USB stick on the bus, storing medical paperwork on a shared computer — AES-128 is completely sufficient. The attacker would have to brute-force a key space of 3.4 x 10^38, and no currently existing adversary can do that.

AES-256 buys meaningful extra margin only in two scenarios:

• Long-term secrecy against nation-state adversaries. If a document must remain secret for thirty years against a state-level cryptanalyst with access to special-purpose hardware (and, eventually, quantum machines), the extra key length is worth having.
• Compliance requirements. Some regulated industries — defense contracting, certain financial frameworks, some healthcare regimes — require AES-256 by policy regardless of actual risk. If your compliance officer says AES-256, use AES-256.

For everything else, AES-128 with a strong password is fine, and AES-256 with a weak password is worse than AES-128 with a strong one. The cipher is not the limiting factor. A 12-character random password gives you 72 bits of entropy, which is already the binding constraint against any real attack — the cipher sits above that, unused.

What happens when you lose the password

Nothing good. With AES-128 or AES-256 and a properly random user password, the file is effectively unrecoverable. Commercial "password recovery" services exist and work on three categories of file:

• Files with RC4 40-bit encryption. Trivially broken.
• Files with weak, dictionary-level user passwords. Brute-forced against a wordlist, often in minutes.
• Files where only the owner password is set. No real recovery needed — strip permissions with qpdf and move on.

For modern AES-128 or AES-256 with a genuinely random password, no commercial service can help, and none that claims otherwise is being honest. This is the point of strong encryption. Back up your passwords.

Honest caveats

PDF encryption's cryptographic primitives are strong, but the metadata around an encrypted file usually is not. The filename, size, page count, and in many cases some metadata fields remain visible even when the content is encrypted. If you are sending an encrypted file named lawsuit-against-acme-final-v3.pdf, the filename alone gives away more than most threat models want. Rename sensitive files and strip metadata before protecting them.

Our Protect PDF tool defaults to AES-256 where supported by the source file's target spec version. If you need to remove a password from a PDF you legitimately own, Unlock PDF handles user-password removal given the correct password and owner-permission stripping without one.

Protect or unlock a PDF now

Protect a PDF with a password — free | Unlock a PDF — free