Encryption & Security
TerraPDF supports PDF encryption through the PDF Standard Security Handler, defaulting to AES-256 (Revision 6, PDF 2.0) with AES-128 (Revision 4, PDF 1.6) available as a legacy opt-in. Encrypted documents can require an open password, define an owner password for full access, and restrict common actions such as printing, copying, editing, form filling, accessibility extraction, and page assembly.
No external package is required. Encryption is implemented with System.Security.Cryptography.
Quick Start
using TerraPDF.Core;
using TerraPDF.Helpers;
Document.Create(container =>
{
container.Encrypt(new EncryptionOptions
{
UserPassword = "open123",
OwnerPassword = "admin456",
Permissions = PdfPermissions.Print | PdfPermissions.CopyText
});
container.Page(page =>
{
page.Size(PageSize.A4);
page.Margin(2, Unit.Centimetre);
page.Content()
.Text("This PDF is password-protected.")
.Bold()
.FontSize(18);
});
})
.PublishPdf("protected.pdf");
Encryption Options
| Property | Type | Description |
|---|---|---|
UserPassword |
string? |
Password required to open the document. Leave empty for no open prompt while still encrypting content and applying permissions. |
OwnerPassword |
string? |
Password that grants full access regardless of permission restrictions. |
Permissions |
PdfPermissions |
Bitwise permission flags applied for normal users. Defaults to All. |
Algorithm |
EncryptionAlgorithm |
Aes256 (default) or Aes128 (legacy). See Choosing an Algorithm below. |
Choosing an Algorithm
As of TerraPDF 1.4.0, container.Encrypt(...) produces AES-256 output by default — Standard Security Handler Revision 6, SHA-2 key derivation, and PDF 2.0 output. This is supported by every mainstream viewer since roughly 2008 (Acrobat 9+, Chrome, Edge, Firefox, Preview, and others).
If you need to support a very old or restricted PDF reader that only understands PDF 1.6-era encryption, opt back into AES-128 (Revision 4) explicitly:
container.Encrypt(new EncryptionOptions
{
UserPassword = "open123",
OwnerPassword = "admin456",
Permissions = PdfPermissions.All,
Algorithm = EncryptionAlgorithm.Aes128
});
Upgrading from 1.3.x? If your code calls
container.Encrypt(...)without settingAlgorithm, it now produces AES-256/PDF 2.0 output instead of the previous AES-128/PDF 1.6 output. SetAlgorithm = EncryptionAlgorithm.Aes128if you need to keep the old behavior.
Permission Flags
Combine flags with the bitwise OR operator:
PdfPermissions.Print | PdfPermissions.CopyText
| Flag | Allows |
|---|---|
PdfPermissions.Print |
High-quality printing |
PdfPermissions.PrintLowResolution |
Low-resolution printing |
PdfPermissions.ModifyContents |
Editing document contents |
PdfPermissions.CopyText |
Copying or extracting text and graphics |
PdfPermissions.ModifyAnnotations |
Adding or modifying annotations and form fields |
PdfPermissions.FillForms |
Filling interactive form fields |
PdfPermissions.ExtractForAccessibility |
Extraction for screen readers |
PdfPermissions.AssembleDocument |
Inserting, rotating, or deleting pages |
PdfPermissions.All |
All permissions granted |
PdfPermissions.None |
View-only access |
Common Patterns
View Only
container.Encrypt(new EncryptionOptions
{
UserPassword = "readonly",
Permissions = PdfPermissions.None
});
Open Without Password, Restrict Copying
container.Encrypt(new EncryptionOptions
{
OwnerPassword = "admin",
Permissions = PdfPermissions.Print
});
Encrypt and Allow Everything
container.Encrypt(new EncryptionOptions
{
UserPassword = "open",
Permissions = PdfPermissions.All
});
Technical Notes
- By default, encrypted output uses AES-256 (Revision 6) and is emitted as PDF 2.0. Setting
Algorithm = EncryptionAlgorithm.Aes128produces PDF 1.6 output using Revision 4, the minimum version required for AES encryption. - Page content streams, image XObjects, document metadata, bookmark titles, and hyperlink URIs are all encrypted — nothing is left as plaintext inside an encrypted document.
- The
/Encryptdictionary, cross-reference data, trailer, stream lengths, and PDF header remain unencrypted as required by the PDF specification. - Each encrypted object receives its own key derived from the file encryption key and object identity — SHA-2 based derivation for AES-256, MD5-based derivation for the legacy AES-128 mode.
Call container.Encrypt(options) once inside the Document.Create callback before publishing. If called more than once, the latest settings replace the previous settings.