Most people are familiar with the standard “open” password. We use open passwords all day to access online accounts. In fact, you might encounter password blocks so often that you cringe about reading an entire blog post about them! But if you care to probe the nooks and crannies of nuanced PDF file protection, keep reading.
A PDF file can also have an open password. We open a PDF file, a box pops up, and we can’t see the content until you type the secret code. But behind the scenes, PDF security has a second, more specialized layer: the Owner Password (also known as the Permissions Password).
If the User Password is the key to the front door, the Owner Password is the “Admin” access to the building’s controls.
One PDF, Two Keys
So, every secured PDF can have two distinct passwords assigned to it. Understanding the difference is crucial for document security and workflow management.
- The User Password (Document Open Password) controls access. If this is set, no one can view the content without it.
- The Owner Password (Permissions Password) controls capabilities. Even if a user can open and read the file, the Owner Password dictates what they are allowed to do with it.
Just because you have a User Password and can open a file, doesn’t mean you necessarily have full access to the file (unless you’re a cheater).
The Owner Password protects the “Master” version of the file. You can share the document freely, knowing that the “User” experience is restricted to viewing only, while you retain the power to unlock the full features whenever necessary.
Owner Password + Permission Flags
The Owner Password is used by document creators to protect the integrity and intellectual property of their work. When you set an Owner Password, you can toggle specific restrictions on or off:
- Printing: You can block printing entirely or limit it to low-resolution only by choosing to block only “Hi-Res print.”
- Copying: This prevents users from highlighting text or images and copying them to their clipboard.
- Modify: You can lock the text so it cannot be altered.
- Assembly/Page Manipulation: This prevents users from rotating, inserting, or deleting pages within the document.
- Annotation/Form Annotation: Maybe disallow users to sign the document, highlight text, add sticky notes, or provide feedback without risking the integrity of the original content. Keep in mind your stamp is technically an annotation so blocking this might help prevent users removing the stamp – but it depends on the PDF writing library.
- Form Filling: This allows users to interact with the document by typing into text fields, selecting dropdown options, or checking boxes without granting them permission to alter the actual design or text of the PDF. You can also specifically enable or disable the ability for users to digitally sign the document, which is essential for contracts and official applications. If your application requires formal digital signatures (not just typing a name in a box), you often have to allow Annotations as well, as signatures are technically a type of annotation.
Here’s more information from PDF Ink documentation about how to set these PDF document permissions.
Example use of Permissions Blocking
For most business use cases (like sending an invoice or a contract), we’d usually use this combination:
- Allow: Printing, Accessibility (Extract), and Form Filling.
- Block: Content Copying and Modification.
This ensures the document is useful and accessible but protected from “accidental” edits to the fine print.
How the Security Works (and Its Limitations)
When you apply an Owner Password, the PDF is encrypted. To change these settings later, you must provide the Owner Password.
However, it is important to understand a bit of “peer-to-peer” truth: Owner Password security is only as strong as the software used to view the PDF. Standard viewers like Adobe Acrobat or Microsoft Edge respect these “flags” and will gray out the print or copy buttons. However, some third-party PDF “removers” or specialized viewers simply ignore these permission flags because they aren’t required to decrypt the actual text—only to enforce the rules. If you need 100% foolproof security where the user cannot see the content at all without authorization, you must use a User Password.
Best Practices & Considerations
A PDF Must “Show up Unlocked” to PDF Ink
Everything starts with an unlocked (no Owner Password, or password provided) file.
In order for the free parsers included with PDF Ink to parse your PDF file, it must be unlocked (unencrypted). This candidate file will have no owner password and no user password. An exception to this rule is possible if you are using a paid, upgraded PDF parser like FPDI PDF-Parser or SetaPDF-Stamper, which allow you to submit an owner password for the PDF so it can be un-encrypted.
If you upload a PDF with a User Password or File Protections (copy/print/modify/etc blocked) to PDF Ink, remember — that file is encrypted! PDF Ink will not be able to read/parse it until it is unencrypted. In the meantime, you will only see an error.
Always Store the Master Key (Owner Password)
If you are generating thousands of PDFs programmatically, you might not want to use a unique, random string for every file unless you are storing that string in a database. In the PDF Ink “Owner Password” settings you can save a strong owner password that will be applied to all your PDFs. If you care to, you can occasionally update that password. If you want to set a unique password per order, using an order number and maybe the customer’s name, you could use a filter hook to set the password:
function filter_pdf_owner_password( $owner_password, $settings ) {
// $settings['uid'] will likely be an order ID, which you can get data from
// return altered $owner_password; this is a crude example
return md5( $settings['uid'] );
}
add_filter( 'pdfink_filter_owner_password', 'filter_pdf_owner_password' );Keep track of your owner passwords — PDF Ink does not do that for you unless you have set one in the PDF Ink settings. In that case they will be stored encrypted in your WP database.
If your PDF files have a password and you KNOW the owner password, they can still be handled using FPDI PDF-Parser or SetaPDF-Stamper (two upgraded parsers available for PDF Ink). Usually if a PDF is passworded (user) it cannot be opened by a PDF parser like FPDI or TCPDI. If you provide FPDI PDF-Parser or SetaPDF-Stamper the owner password (PDF Ink will do that for you), the file can be opened for manipulation, then re-locked using the same owner password.
Risk of Losing the Owner Password
If a customer needs to legitimately edit a document later, and you’ve lost the unique owner password, that PDF is effectively “frozen” forever.
Don’t Break Accessibility
One of the most common mistakes is disabling the “Extract” or “Content Extraction for Accessibility” flag.
- The Consequence: If you disable this, screen readers for the visually impaired will be unable to read the document aloud. That’s not nice.
- The Fix: Don’t include
extractin your restriction array unless absolutely necessary.
Encryption Levels Matter
PDF Ink allows 40-bit RC4 encryption, but we don’t necessarily recommend it. RC4 might be easier on your server, but it is no longer considered secure. 40-bit encryption can be cracked in seconds by modern computers
Always aim for AES-128 or AES-256 if you have robust hosting and your server can handle the heavy load of applying encryption (not to mention fonts, graphics, and maybe HTML) to your PDF.
While no permission flag is 100% unhackable, AES encryption makes it exponentially harder for automated tools to tamper with your document. In otherwords, the permissions settings aren’t really enforceable, but if the document is well-encrypted, they cannot be removed.
Side note: Don’t assume your chosen library set handles the ‘boring’ stuff like version numbers. If you are applying modern AES-256 encryption to an older PDF (version <1.7), SetaPDF will automatically upgrade the file version for you, whereas TCPDF might require you to manually ensure the output is set to PDF 1.7 to avoid viewer errors. FPDI spares you the pain since it does not offer AES encryption.
“Honor System” Reality Check
It is crucial to explain to clients that Owner Passwords are an advisory lock, not an unbreakable vault.
Well-behaved PDF viewers (Adobe Acrobat, Chrome, Firefox) will honor the “No Printing” or “No Copying” flags. However, many open-source viewers and “PDF Password Remover” websites simply ignore these metadata flags. If the user can open the file, they technically have the data.
“Setting an owner password is like putting a ‘Please Don’t Touch’ sign on a museum exhibit. Most people will follow the rules, but if someone really wants to touch it, the sign won’t physically stop their hand. For a real ‘Do Not Touch’ policy, you need a glass case—and in the PDF world, that’s a User Password.”
Use permission flags for workflow control, but use a User Password if the data is truly classified. This keeps users out of the file entirely unless they have the password.