How-to guides/Security & Encryption

Add a user or owner password to a PDF in Rust

Protect a PDF with a password so readers must enter it to open the file, or set an owner password to restrict editing.

rust
use pdfluent::{PdfDocument, EncryptionOptions};

fn main() -> pdfluent::Result<()> {
    let mut doc = PdfDocument::open("report.pdf")?;

    // User password: required to open the file
    // Owner password: required to change permissions
    let opts = EncryptionOptions::aes256("owner-pw-123", "user-pw-456");
    doc.encrypt(opts)?;

    doc.save("report-protected.pdf")?;
    println!("Password protection applied.");
    Ok(())
}
Install:cargo add pdfluentDownload SDK →

Step by step

1

Add PDFluent with encryption support

The encryption feature includes AES-128 and AES-256 support.

rust
# Cargo.toml
[dependencies]
pdfluent = { version = "0.9", features = ["encryption"] }
2

Open the source document

Open the PDF you want to protect. If it is already encrypted, open it with the current owner password first.

rust
use pdfluent::PdfDocument;

let mut doc = PdfDocument::open("report.pdf")?;
3

Configure AES-256 encryption

The first argument to aes256() is the owner password. The second is the user password. Set the user password to an empty string to allow opening without a password while still restricting permissions.

rust
use pdfluent::EncryptionOptions;

// Both passwords set - readers must enter user-pw to open
let opts = EncryptionOptions::aes256("owner-pw-123", "user-pw-456");

// Owner password only - file opens without a password, but editing is restricted
let opts = EncryptionOptions::aes256("owner-pw-123", "");
4

Apply the encryption and save

doc.encrypt() modifies the in-memory document. The protection is written to disk on save.

rust
doc.encrypt(opts)?;
doc.save("report-protected.pdf")?;
println!("Saved report-protected.pdf");
5

Verify the password is set

Re-open the saved file and confirm it requires a password.

rust
let result = PdfDocument::open("report-protected.pdf");
match result {
    Err(pdfluent::Error::PasswordRequired) => {
        println!("Correct: file requires a password to open.");
    }
    Ok(_) => println!("Warning: file opened without password."),
    Err(e) => eprintln!("Unexpected error: {}", e),
}

Notes and tips

  • AES-256 is supported by all PDF readers released after 2010. For maximum compatibility with very old readers, use EncryptionOptions::aes128 instead.
  • An empty user password means the PDF opens without a password prompt but is still encrypted. Permission flags are enforced by compliant readers.
  • Store the owner password securely. Without it, you cannot change or remove the encryption later. PDFluent cannot crack or bypass PDF encryption.
  • Password strength matters. A PDF with a short or common user password provides minimal protection against brute-force attacks.

Why PDFluent for this

Pure Rust

No JVM, no runtime, no DLL dependencies. Ships as a single native binary or WASM module.

Memory safe

Rust's ownership model prevents buffer overflows and use-after-free. No segfaults in PDF parsing.

Runs anywhere

Same code runs server-side, in Docker, on AWS Lambda, on Cloudflare Workers, or in the browser via WASM.

Frequently asked questions

Download PDFluentPDF security overview