Setting a Password on a PDF File in Linux

Last updated: May 11, 2025

Reviewed by: Saajan Nagendra
Baeldung Pro – Linux – NPI EA (cat = Baeldung on Linux)
announcement - icon

Learn through the super-clean Baeldung Pro experience:

>> Membership and Baeldung Pro.

No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.

1. Overview

We may want to lock a PDF document with a password for several reasons. For example, the data within the document might be confidential. Therefore, we don’t want unauthorized people to access and change the data in the document.

In this tutorial, we’ll discuss how to set passwords for PDF files.

2. Using pdftk

The first option is to use the pdftk tool. This tool has many capabilities such as merging PDF files, splitting PDF pages into new documents, and even repairing corrupted PDF documents. It’s also possible to set passwords for PDF documents using pdftk.

There are two types of passwords. The first one is the user password, which prevents unauthorized people from opening PDF documents. The other one is the owner password, which places certain restrictions on editing and copying PDF files.

We’ll set a user password for the PDF file, sample.pdf:

$ pdftk sample.pdf output sample_with_passwd.pdf user_pw secret_passwd
Warning: Using a password on the command line interface can be insecure.
Use the keyword PROMPT to supply a password via standard input instead.

Despite a warning, we’re successful in setting a password. The first argument of pdftk, sample.pdf, is the name of the input file. We specify the name of the output file using the output option. The name of the password-protected PDF file is sample_with_passwd.pdf.

The user_pw option is for specifying the user password. The user password in our example is secret_passwd. However, as the warning points out, using passwords on the command line isn’t secure. For example, passwords can be obtained using the history command. As the warning suggests, we can use the keyword PROMPT for setting the password:

$ pdftk sample.pdf output sample_with_passwd.pdf user_pw PROMPT
Please enter the user password to use on the output PDF.
   It can be empty, or have a maximum of 32 characters:

In this case, instead of entering the user password, we enter the keyword PROMPT, and pdftk prompts us to enter the password. The password isn’t a part of the arguments anymore. Therefore, this usage is more secure.

Let’s enter the same password:

$ pdftk sample.pdf output sample_with_passwd.pdf user_pw PROMPT
Please enter the user password to use on the output PDF.
   It can be empty, or have a maximum of 32 characters:
secret_passwd

It’s also possible to set the owner password using the owner_pw option. However, it must be different than the user password. Otherwise, pdftk gives an error.

Having set the user password, we’ll try to open it from the command line now. There are several options for opening a PDF file. Let’s use xdg-open:

$ xdg-open sample_with_passwd.pdf

We get a dialog box specifying that the document is locked and requires a password before it can be opened:

xdg-open asking for password

Therefore, we were successful in setting the user password for the PDF document.

3. Using qpdf

Another option to set a user password for PDF files is to use the qpdf tool. This tool reads the input PDF file, applies the transformations specified by the arguments to the file in memory, and saves the result to the specified output file.

We can use the –encrypt user-password owner-password key-length [options] in qpdf to generate an encrypted output file. The first “–“ indicates the start of the encryption options, and the second “–“ indicates the end:

$ qpdf --encrypt reader_passwd owner_passwd 256 -- sample.pdf sample_with_passwd.pdf

The first encryption option, reader_passwd in the above sample, is the user password, and the second encryption option is the owner password. Then, we pass the key length, which is 256 here. Lastly, we pass the name of the input PDF file that we want to encrypt and the encrypted output file we want qpdf to generate; sample.pdf and sample_with_passwd.pdf here.

The key-length parameter should be one of these three: 40, 128, and 256. When we set key length to 256, by default, qpdf uses the AES-based encryption format described in the PDF 2.0 specification. AES is a secure format; therefore, qpdf recommends using  a 256-bit key length. The 40-bit and the 128-bit encryption formats are insecure because they use the insecure RC4 encryption algorithm by default.

Now, let’s try to open the output PDF file using evince this time:

$ evince sample_with_passwd.pdf

We get the same dialog box specifying that the document is locked and requires a password before it can be opened, as expected.

4. Conclusion

In this article, we discussed how to set passwords for PDF files. First, we learned that we can use pdftk to set both user and owner passwords. Then, we saw that qpdf is another tool that we can use for setting user and owner passwords for PDF documents.