Encrypt PDF documents in C# and VB.NET

With help of Docotic.Pdf library, you can encrypt PDF documents with either passwords or certificates.

The library encrypts protected documents using an encryption algorithm of your choice. The library supports RC4 40-bit, RC4 128-bit, AES 128-bit, and AES 256-bit encryption algorithms. You decide what permissions you want to grant to users of protected PDF files.

Protect PDF with passwords

Password-protected PDF documents have an owner and, optionally, user passwords. All PDF permissions are granted when someone opens a password-protected PDF file with the owner password. If a PDF document is opened with the user password or without a password at all, only "user" permissions are granted. For example, the author of the encrypted PDF file can disallow printing for "users" but the "owner" will still be able to print the document.

To produce a password-protected PDF document, create an instance of PdfStandardEncryptionHandler class and set it up as needed. Then assign the object to the EncryptionHandler property in the document save options. The library will use the handler to encrypt the PDF document while saving it.

The following code snippet shows how to create a password-protected PDF file in C#:

using (PdfDocument document = ...)
{
    var handler = new PdfStandardEncryptionHandler("owner", "user");
    handler.UserPermissions.Flags = PdfPermissionFlags.ModifyContents;
    document.SaveOptions.EncryptionHandler = handler;

    document.Save(outputFileName);
}

The code above uses "owner" for the owner password and "user" for the user password. PDF viewers will require a password to open the secured PDF file. This is because the user password is not null or an empty string.

If you want to have a secured PDF file but would like to allow anyone to open it without a password, then use null or an empty string for the user password.

Protect PDF with certificates in .NET

Any certificate-protected PDF document has a collection of recipients. The collection can contain any number of items. Each recipient describes a certificate that can be used to decrypt the secured PDF document. For each recipient, there are PDF access permissions specified. The permissions granted for the decrypted PDF document depend on the certificate used to unprotect the document.

Some access permissions allow all operations with the decrypted PDF file. Recipients with such permissions we call owners in Docotic.Pdf library. Regular recipients have limited permissions for the decrypted PDF document.

To create a certificate-protected document, start with creating an instance of PdfPublicKeyEncryptionHandler class. Constructors without a permissions parameter create an object with an owner recipient. Use constructors with the permissions parameter to get an encryption handler with a regular recipient.

You can add more owner recipients using AddOwner methods. Use AddRecipient methods to add regular recipients. You can add as many owners and regular recipients to the encryption handler, as needed.

Then instruct the library to use the handler while saving the document. For this, assign the object to the EncryptionHandler property in the document save options.

The following code shows how to create a certificate-protected PDF file in C#. The code prepares a handler with an owner and regular recipients. In both cases, certificates for the recipients are taken from the provided key stores.

using (PdfDocument document = ...)
{
    var handler = new PdfPublicKeyEncryptionHandler("owner-key-store.p12", "password");
    
    var permissions = new PdfPermissions();
    permissions.Flags = PdfPermissionFlags.FillFormFields | PdfPermissionFlags.PrintDocument;
    handler.AddRecipient("recipient-key-store.p12", "password", permissions);
    
    document.SaveOptions.EncryptionHandler = handler;

    document.Save(outputFileName);
}

Restrict editing of a PDF file

When encrypting a PDF document, it is required to set up permissions for users of the file. In other words, you must specify PDF permission to grant for the document opened with a user password or a certificate matching a regular recipient.

Docotic.Pdf library provides PdfPermissions class for user permissions. This class provides two ways to set up permissions. You can set up all permissions at once using the Flags property. The alternative is to use individual properties for each possible permission.

When creating a PdfStandardEncryptionHandler object, use the UserPermissions property to access the permissions. With a PdfPublicKeyEncryptionHandler object, use the PdfPermissions constructor. The rest of the setup is the same.

The following code shows how to setup PDF permissions in C#:

// By default, permissions objects allow everything.

// You can use the Flags property to grant only specific permissions.
var permisssions1 = new PdfPermissions();
permisssions1.Flags = PdfPermissionFlags.FillFormFields | PdfPermissionFlags.ModifyAnnotations;

// Or you can disable only those permissions you would like to deny. 
var permisssions2 = new PdfPermissions();
permisssions2.AssembleDocument = false;
permisssions2.CopyContents = false;
permisssions2.ExtractContents = false;
permisssions2.ModifyContents = false;
permisssions2.PrintDocument = false;
permisssions2.PrintFaithfulCopy = false;

// Or you can disable all permissions first and then enable only those
// permissions you would like to allow.
var permisssions3 = new PdfPermissions();
permisssions3.AllowEverything = false;
permisssions3.FillFormFields = true;
permisssions3.ModifyAnnotations = true;

// The permisssions1, permisssions2, and permisssions3 objects describe
// the same permissions at this point.

Encrypt PDF using AES-256 in .NET

Docotic.Pdf can encrypt PDF documents with AES-256. This encryption algorithm is the strongest supported by the library. Please note that not every PDF reader might support the algorithm.

After you created a PdfStandardEncryptionHandler or PdfPublicKeyEncryptionHandler object, use the Algorithm property to set up the encryption algorithm.

The following C# code shows how to protect a PDF document with passwords and encrypt it using AES-256:

using (var pdf = new PdfDocument())
{
    // ....

    PdfStandardEncryptionHandler handler = new PdfStandardEncryptionHandler("owner", "user");
    handler.Algorithm = PdfEncryptionAlgorithm.Aes256Bit;
    pdf.SaveOptions.EncryptionHandler = handler;

    pdf.Save("encrypted");
}

Encryption and PDF/A

It is not allowed to encrypt PDF/A files. The library throws an exception of PdfException type when you try to set up an encryption handler and turn on the produce PDF/A option in a document save options.

PDF/A in a Nutshell has advice on how to secure PDF/A files:

Users who wish to protect their PDF/A files must protect the storage location of these files. This can be achieved by implementing password protection for a folder or drive, for example.

Related resources