An auditor wants proof that the financial PDFs you sent last quarter were encrypted. You vaguely remember adding passwords. Are they real encryption or just access flags? Here's how to find out in under a minute.
Method 1: try to open without the password
The cheapest test. If the file opens straight away in any viewer with no password prompt, it's not encrypted at the open level — at most it has restrictions on printing or editing.
If the viewer demands a password, encryption is in play. That alone is reassuring, though it doesn't tell you what cipher.
Method 2: check document properties
In Acrobat, open File → Properties → Security. You'll see the Security Method (Password Security, Certificate Security, or None) and the Encryption Level (AES-128, AES-256, RC4-128).
In macOS Preview, open the Inspector (Cmd-I). In Edge or Chrome, document properties are accessible via the print dialog. Anything reporting 'RC4' should be re-encrypted — that cipher is from the 1990s and is no longer considered safe.
Method 3: re-encrypt if in doubt
If you can't tell, or the file uses an old cipher, run it through Flint's password tool to apply modern AES-256 encryption. You'll need the old password to do this (because the file has to be opened first).
For batches of legacy files, re-encrypting is a one-pass job. Cheaper than explaining to compliance why the 2014 records are still on RC4.
FAQ
Can a PDF be 'protected' without being encrypted?
Yes. Some restrictions (no printing, no copying) can be set without encrypting the content. Most viewers honour them, but a determined attacker can strip them in seconds.
What does 'No Security' in document properties mean?
The file is not encrypted at all. Anyone with access can open and read it.
Should I worry about RC4-encrypted PDFs?
Yes. RC4 with a 40-bit key is breakable in minutes; 128-bit RC4 is degraded. Re-encrypt with AES-256 if the content still matters.
Does a digital signature count as encryption?
No. Signatures prove integrity and authorship; they don't encrypt content. You can have a signed-but-unencrypted PDF that anyone can read.
If you're not sure, assume not. Encrypt the file properly and stop guessing.