Your firm's security review asks one question: are sensitive client PDFs encrypted with AES-256? You're not sure what to look for. The answer is in the tool you used to lock the file — and possibly in the version of PDF it produced.
What AES-256 actually is
AES — Advanced Encryption Standard — is a block cipher published by NIST in 2001. The number is the key size in bits. AES-256 uses a 256-bit key, giving roughly 10^77 possible keys. Even at trillions of guesses per second, the universe doesn't last long enough to brute-force one.
It's the same cipher used by governments for classified material, by HTTPS for the web, and by every serious encryption product on the planet.
Why it matters in PDFs
PDF 1.7 Extension 3 (which became part of PDF 2.0) introduced AES-256 as the strongest cipher PDFs can use. Older PDFs use AES-128 (acceptable) or RC4 (obsolete). When compliance teams ask 'is this PDF encrypted to modern standards', AES-256 is the answer they want.
Flint's password tool applies AES-256 by default — you don't need to pick a cipher manually.
Where AES-256 stops protecting you
The cipher is essentially unbreakable. The password isn't. AES-256 with a six-character password is no stronger than AES-128 with a six-character password — both fall to brute force in minutes.
AES-256 is the floor, not the ceiling. Pair it with a strong passphrase, a separate channel for sharing the password, and proper key management for it to actually mean something.
FAQ
Is AES-128 still safe for PDFs?
Yes for now. AES-128 is not broken and remains acceptable for most use cases. AES-256 is the safer choice for documents with multi-year lifetimes.
How can I check what cipher a PDF uses?
Open the file's document properties in any PDF viewer — Acrobat, Preview, or browser viewers usually show 'Security' details including the cipher and key length.
Does AES-256 slow down PDF opening?
Imperceptibly. Modern devices handle AES with dedicated hardware acceleration. The user experience is identical to AES-128.
Is AES-256 quantum-safe?
Reasonably. AES-256 is considered one of the more quantum-resistant symmetric ciphers. For documents protected for decades, watch the post-quantum cryptography standards space.
If your compliance checklist wants AES-256, Flint applies it by default.