The Best Way to Encrypt a PDF: The Ultimate Guide to Offline Privacy

Q: Can I password protect a PDF for free on Windows without Adobe?

Yes. If you have the original document, you can save it as an encrypted PDF directly from Microsoft Word. If you only have the PDF file, we recommend using open-source tools like PDFEncrypt or creating an encrypted archive using 7-Zip.

Q: What is the difference between User and Owner passwords?

A User Password is required to open the file; this encrypts the data. An Owner Password is used to restrict permissions like printing or editing, but it does not encrypt the file content and is easily bypassed. Always set a User Password for privacy.

Q: How do I remove a password if I forgot it?

If the file is encrypted with a strong User Password (AES-128 or 256), there is no easy way to recover it—that is the point of encryption. However, if you only forgot the Owner (permissions) password, there are many legal tools available that can remove the restriction instantly.

Q: Is it safe to email a password-protected PDF?

Yes, but only if you send the password separately. If you email the password in the same thread as the file, you are vulnerable to email compromise. Send the password via a secure messaging app or text.

Sending an unencrypted PDF via email is like mailing a postcard with your bank details written on the back—anyone handling it can read it. While PDF documents are the standard for professional communication, they are inherently insecure by default.

The stakes are higher than most people realize. According to Check Point Research (2024), 68% of cyber attacks begin in the inbox. If you are sending contracts, invoices, or medical records without protection, you are leaving the digital door wide open.

Encryption solves this by wrapping your file in complex code that requires a specific key (password) to revert to a readable format. However, not all encryption methods are created equal.

The best way to encrypt a PDF is always offline.

Many guides suggest using “free” online converters to lock your files. This is a dangerous mistake. When you upload a sensitive document to a website to encrypt it, you are handing your data to a third party before it is secured. This guide will walk you through how to protect your files locally, ensuring your private data never leaves your device until it is fully locked.

Why You Must Encrypt Sensitive PDFs (Real Risks)

It is easy to assume that data breaches only happen to massive corporations, but the reality is that individuals and small businesses are frequent targets because they often lack robust security protocols.

The financial consequences are staggering. The IBM Cost of a Data Breach Report (2024) indicates that the average breach now costs $4.88 million—a record high. While a freelancer or small firm won’t face a million-dollar loss, even a fraction of that damage can be devastating.

The Freelancer Scenario

Consider the case of “Mark,” a graphic designer. Mark operates a successful freelance business and regularly emails invoices to clients. Like many of us, he sent these as standard PDFs containing his bank routing number and home address.

When one of his client’s email accounts was compromised, hackers scanned the inbox for attachments. They found Mark’s invoice. Because the PDF was unencrypted, the attackers had immediate, clear-text access to his banking details. The result was an attempted ACH fraud that forced Mark to close his business accounts and spend months resolving identity theft issues.

The “Cloud” Risk

The method you use to encrypt matters as much as the encryption itself. If you use a cloud-based tool, you are relying on their security, not yours. An Entrust Study (2024) found that only 32% of organizations use their own keys for cloud data encryption. This means that for the majority of cloud services, the provider holds the keys to your data. If they are breached, your “secure” files are wide open.

Critical Concepts: Encryption vs. Permissions (Read This First)

Before we look at the tools, we need to address a major misunderstanding in PDF security: the difference between locking a file and restricting a file.

1. User Password (The Lock)

This is true encryption. When you set a “User Password” (also known as a “Document Open” password), the software scrambles the file’s contents using mathematical algorithms (usually AES-128 or AES-256). The file cannot be opened or viewed without the correct password. This is what you want.

2. Owner Password (The Sign)

This creates “Permissions.” It tells the PDF viewer, “Please do not allow printing or editing.” It does not encrypt the file data.

Here is the hard truth: Owner passwords offer false security.

As a security analyst from Locklizard notes, “PDF passwords are a lock that anyone with the key can permanently break.” Furthermore, if a file only has an Owner password, free software available on the web can remove these restrictions in seconds.

The Takeaway: If you want privacy, you must ensure you are setting a User Password backed by AES-256 encryption.

Method 1: The Best Way (Offline & Free Options)

The best way to encrypt a PDF is using tools that run entirely on your computer. This ensures your unencrypted file never travels across the internet.

For Mac Users (Built-in Preview)

Apple provides robust encryption tools natively within macOS. You do not need third-party software to secure your files.

Open your PDF in Preview.
Go to File > Export.
Click the Permissions button (sometimes labeled “Encrypt”).
Check the box for “Require password to open document.”
Enter your password and click Save.

Pro Tip: This applies a User Password, encrypting the file so it cannot be viewed without the key.

For Windows Users (Microsoft Office & Open Source)

Windows does not have a native “right-click to encrypt” feature for PDFs, but you likely already have the tools you need.

Option A: Microsoft Word If you created the document in Word, you can encrypt it upon export.

Go to File > Export > Create PDF/XPS.
Click the Options button in the save dialog.
Check “Encrypt the document with a password” at the bottom.
Click OK, enter your password, and save.

Option B: PDFEncrypt (Open Source) For existing PDFs, we recommend using verified open-source tools rather than “freeware” that might include adware. PDFEncrypt is a free, open-source utility designed specifically for this purpose. It runs locally, uses standard AES encryption, and doesn’t require an internet connection.

The “Wrapper” Method (7-Zip)

Sometimes, the most secure way to send a PDF isn’t to encrypt the PDF itself, but to put it inside an encrypted container. This is ideal if you need to send multiple files at once.

Download and install 7-Zip (free and open-source).
Right-click your PDF (or folder of PDFs).
Select 7-Zip > Add to archive…
In the Encryption section on the right, enter your password.
Crucial Step: Set the “Encryption method” to AES-256.
Click OK.

You now have a .7z or .zip file that is military-grade encrypted. Even if the PDF inside has no password, no one can reach it without unlocking the container first.

Method 2: The Professional Standard (Adobe Acrobat)

If you work in a corporate environment, you may already have access to Adobe Acrobat Pro. While it requires a subscription, it remains the industry standard for document management.

According to AV-Comparatives (2024), 68.9% of users prefer paid commercial solutions, largely due to the granular control they offer. Acrobat allows you to set both User and Owner passwords simultaneously.

How to use it:

Open the PDF in Acrobat Pro.
Select the Protect tool from the right-hand bar.
Click Encrypt > Encrypt with Password.
Check “Require a password to open the document” (This is the encryption).
Select “Compatible with Acrobat X and later” to ensure you are using 256-bit AES encryption.

Note: While effective, this method is expensive for casual users. The offline methods listed in Method 1 offer the same level of encryption mathematics (AES-256) for free.

What to AVOID: The Danger of Online PDF Converters

If you search for “encrypt pdf” on Google, the top results are almost exclusively online converters (e.g., SmallPDF, iLovePDF). While these tools are convenient for compressing non-sensitive files, they are dangerous for private data.

The Legal Scenario

Let’s look at “Sarah,” a family law attorney. She needed to password-protect a draft divorce settlement containing a client’s full financial history. In a rush, she uploaded the file to a “Free PDF Encryptor” website.

Two months later, that service suffered a data breach. Sarah’s client’s unencrypted data—which had been temporarily stored on the converter’s server to process the encryption—was leaked. Sarah now faces a bar complaint for failing to use a secure, offline encryption method.

Dr. Lena Patel, a cybersecurity analyst, explains the risk clearly: “You are essentially handing your unlocked document to a stranger to lock it for you.”

The Technical Risk

When you use an online tool, the process looks like this:

Upload: Your unencrypted file travels to their server.
Process: Their server creates a copy of your file to apply the password.
Download: You download the locked file.

Between steps 1 and 3, you have zero control over data retention policies. You don’t know if they delete the file immediately, keep it for 24 hours, or if their server is currently compromised. Never take that risk with financial or legal documents.

You have successfully encrypted your PDF offline. You attach it to an email. Now, you need to give the recipient the password.

Do not email the password.

A cybersecurity specialist on Reddit recently noted that “Sending encrypted attachments is often an anti-pattern because users frequently email the password in the very next message.”

If a hacker has access to your email (or the recipient’s email), they will see two messages:

“Attached is the secure file.”
“Here is the password: BlueSky123”

The Solution: Out-of-Band Authentication

To be truly secure, you must use two different communication channels.

Channel 1 (The File): Send the encrypted PDF via Email.
Channel 2 (The Key): Send the password via a different platform.

Recommended “Key” Channels:

Signal / WhatsApp: End-to-end encrypted messaging apps.
SMS: Standard text message (better than email, as it requires compromising a phone and a computer simultaneously).
Phone Call: Verbally dictate the password.

By separating the lock and the key, an attacker would need to compromise two completely different systems to access your data.

Frequently Asked Questions

Can I password protect a PDF for free on Windows without Adobe? Yes. You can use Microsoft Word (Save as PDF > Options > Encrypt) if you are creating the document. For existing PDFs, you can use the open-source tool PDFEncrypt or use 7-Zip to place the PDF inside an encrypted archive.

What is the difference between User and Owner passwords? A User Password is required to open and view the file; this encrypts the data. An Owner Password is required to change permissions (like printing or editing) but does not stop someone from viewing the file. For security, always use a User Password.

How do I remove a password if I forgot it? If the file was encrypted with strong AES-256 security (a User Password), there is no way to retrieve it. This is by design. If it were easy to recover, the encryption would be useless. If it is only an Owner password, various removal tools can strip the restrictions.

Is it safe to email a password-protected PDF? Yes, provided the password is strong and is not sent in the same email thread. Send the file via email and the password via a secure messenger or text.

Conclusion

Protecting your digital documents is no longer optional; it is a necessity for anyone handling financial, legal, or personal data.

The best way to encrypt a PDF is simple: keep it offline. By using built-in tools like Mac Preview or open-source software like 7-Zip, you ensure your data never touches a third-party server. Avoid the temptation of convenient cloud converters—the privacy trade-off simply isn’t worth it.

Finally, remember that encryption is only half the battle. Always use out-of-band authentication by sending your password through a separate channel.

For more on keeping your digital life secure, check out our guide on file security basics or learn how to manage your encryption keys in our password management guide.