Compliance asks if your customer onboarding PDFs are encrypted. You say yes — they have passwords. Are they encrypted? Yes. Are they encrypted *well*? Depends entirely on which version of PDF the tool produced.
A quick tour of what's actually happening when you put a password on a PDF.
Encryption vs password
These get used interchangeably but aren't the same thing. Encryption is the cipher that scrambles the bytes. The password is the input used to derive the key that drives the cipher. A PDF with a strong cipher and a weak password is still weak.
Modern PDFs use AES — Advanced Encryption Standard — usually with a 128-bit or 256-bit key. AES itself is essentially unbreakable with current technology. The attack is on the password.
AES-128 vs AES-256
AES-256 has a larger key and is the current standard. AES-128 isn't broken — it's still considered safe — but new tools default to 256. If you're producing PDFs for a regulated industry (legal, medical, finance), 256-bit is the box you want ticked on the audit.
Flint's password tool uses AES-256 by default, which is what you want.
What encryption doesn't protect
Encryption keeps the file's *contents* private. It does not prove who created it, prevent the recipient from making a screenshot, stop someone editing it after they decrypt it, or prove that the file hasn't been swapped for a different one.
For those things, you need a digital signature, a redaction pass for sensitive content, and proper access controls on where the file is stored.
Where PDF security commonly fails
Three places: weak passwords, passwords shared in the same channel as the file, and old PDFs that still use RC4-40 (an obsolete cipher from the 1990s). If you inherit old documents, re-encrypt them through a modern tool to upgrade the cipher.
Also: some PDF tools let you set a password but not actually encrypt the content stream. Always test the locked file in a viewer that doesn't know the password — it should refuse to open.
FAQ
Is AES-256 PDF encryption quantum-resistant?
Not fully. AES-256 is considered the most quantum-resistant of common symmetric ciphers, but post-quantum cryptography is an active field. For documents with multi-decade lifetimes, plan to re-encrypt as standards evolve.
Does PDF encryption protect metadata?
It depends. Standard PDF encryption can leave metadata (author, title, creation date) readable in some modes. If metadata is sensitive, strip it before encrypting.
Can encrypted PDFs be opened on a phone?
Yes, every mainstream PDF viewer on iOS and Android supports AES-encrypted PDFs. The recipient just enters the password to open.
What's the difference between encryption and a digital signature?
Encryption hides content. A digital signature proves authenticity and integrity. They solve different problems and are often layered together for sensitive documents.
Encryption is one layer of a sensible document policy. Lock your next sensitive PDF and pair it with a strong password.