Add an opening password to your PDF. Pages are rasterized to ensure encryption.
Drop your PDF here
or click to select
Choose a fileFusionPDF adds AES-128 password protection to any PDF entirely in your browser using pdf-lib. Set a user password (required to open the file) and optionally an owner password (controls printing, copying, and editing). No file is ever uploaded, meaning the original unencrypted document never leaves your device. The PDF specification ISO 32000-2 defines AES-128 as the highest standard encryption for PDF files.
Drop your PDF into the upload area or click to select a file. The options panel appears once the file loads. Enter your password in the Password field, then confirm it in the second field to prevent typos. Choose a render quality setting: Medium is recommended for most documents, balancing file size and visual clarity. Click "Protect and download" to receive your encrypted PDF immediately.
The tool rasterizes each page to ensure full compatibility with the encryption layer. This means the output is a visually identical, image-based PDF with password protection applied. Processing takes a few seconds per page and runs entirely on your device.
A user password (also called an open password) prevents anyone from opening the document without knowing it. Recipients must enter this password every time they open the file. Use this when you want to restrict who can read the document at all.
An owner password (also called a permissions password) does not prevent the document from opening, but it restricts what the reader can do: printing, copying text, and editing are all lockable. The current implementation sets both passwords to the same value, protecting both access and permissions in a single step.
Most personal use cases only require a user password. Set a strong one and share it with intended recipients through a separate, secure channel, not in the same email as the document.
AES-128 (Advanced Encryption Standard with a 128-bit key) is the same encryption standard used by banking systems, government agencies, and military communications worldwide. The US National Institute of Standards and Technology (NIST) approved AES as the federal encryption standard in 2001, and it remains unbroken by any known attack when implemented correctly.
For a PDF protected with AES-128, a brute-force attack against a strong password is not computationally feasible with current hardware. The protection is only as strong as the password itself. A weak password like "1234" or the recipient's name negates the encryption entirely.
The encryption runs locally in your browser using JavaScript. No server receives your password, your document, or any derived cryptographic key.
The most practical approach is a passphrase: four or more random words strung together, such as "correct horse battery staple." This method, popularized by security researcher Bruce Schneier and widely cited in NIST guidelines (SP 800-63B), is both highly secure and easier to remember than a random string of characters.
Avoid using the filename, the recipient's name, your company name, or any word that appears in the document itself. Also avoid sequential numbers or keyboard patterns. If you need to share the password with the recipient, use a different channel from the one you're using to send the document. Sending both in the same email defeats the purpose of the protection.
If you need an unprotected copy of a PDF you encrypted, use the Unlock PDF tool. Enter the password you set and the tool returns a fully accessible, unencrypted copy. The same applies to PDFs others sent you, provided you know the password. There is no recovery mechanism for forgotten passwords, so keep a record of passwords you set for documents you'll need to access again.
Uploading a confidential PDF to a server for encryption means the unencrypted version passes through third-party infrastructure before you receive a protected copy back. Depending on the provider's data retention policies, that original file may be stored, logged, or backed up in an unencrypted state.
With browser-based encryption, the unencrypted document is read directly from your local storage into your browser's memory. The encrypted output is written back to your downloads folder. No network request carries your document or your password. For sensitive documents, including financial records, legal filings, and personal data, this approach is materially more private than server-side alternatives.
Read more in our guide to password protecting PDFs for free.