Support PDF 2.0 Conversion and AES-256 Encryption for Password-Protected PDFs

[Y0rkieQvQ]

Feature Description

Add functionality to convert PDFs to version 2.0 (ISO 32000-2) and support AES-256 encryption when adding passwords. The feature should allow users to select the PDF version (e.g., PDF 1.6 or 2.0) and encryption algorithm (e.g., AES-256) during the password protection process.

Why is this feature valuable?

Currently, the program (0.46.1) defaults to generating password-protected PDFs using 40-bit RC4 encryption, which is outdated and highly vulnerable to cracking (e.g., brute-force attacks can break it in minutes). This poses significant security risks for users handling sensitive documents. Enabling PDF 2.0 conversion and AES-256 encryption would:

• Provide stronger, modern encryption standards (AES-256 is widely regarded as secure and suitable for sensitive data).
• Improve compatibility with modern PDF readers that support PDF 1.6 or 2.0 standards.
• Offer users flexibility to choose encryption levels and PDF versions, aligning with industry best practices (e.g., PDF 2.0’s enhanced security features).

Suggested Implementation

PDF Version Selection:

• Add an option in the password protection dialog to select the output PDF version (e.g., PDF 1.6, PDF 1.7, or PDF 2.0).
• Default to PDF 2.0 for new PDFs to ensure maximum compatibility and security.

Encryption Options:

• Replace the default 40-bit RC4 encryption with AES-256 as the default for password-protected PDFs.
• Include a dropdown or toggle in the password protection interface to select encryption algorithms (e.g., AES-128, AES-256, or legacy RC4 for compatibility).

User Interface: Provide a tooltip or help text explaining the security implications of each option (e.g., “AES-256 is recommended for high-security needs”).

Additional Information

No response

No Duplicate of the Feature

• [x] I have verified that there are no existing features requests similar to my request.

[Y0rkieQvQ]

Hi,

Thanks for the quick response. To clarify, when inspecting a PDF encrypted using the current "Add Password" feature with Get Info on PDF, the output shows:

• IsEncrypted: true
• EncryptionAlgorithm: Standard
• KeyLength: 40

This suggests the encryption is using a 40-bit key with a "Standard" algorithm, which aligns with 40-bit RC4 rather than AES-256. I confirmed this in Adobe Acrobat, which explicitly displays the encryption as "40-bit RC4."

Additionally, there's a minor glitch with "Get Info on PDF." Occasionally, encrypted PDFs are reported as unencrypted, and permissions are incorrectly shown as all "allowed," even when restricted.

[balazs-szucs]

Hi @Frooodle!

I've been thinking about this issue for a while and would love to take it on.

My initial idea is to reuse the existing "Encryption Key Length" dropdown (in Add-password UI) and extend it to include both the encryption algorithm (e.g. RC4, AES) and key length (e.g. 40-bit, 128-bit, 256-bit). This would avoid introducing a new UI element while still providing users with clear options.

However, I think that the label "Encryption Key Length" would not be technically accurate at that point. I’m happy to update the label to something like "Encryption Algorithm and Key Length" to reflect the change though that would require front-end changes and updating translations. If preferred, I can leave the label as-is and include a tool-tip/info for clarity but that would be also needed to be put into property files.

I can also see that it is not in backlog so if this is not planned at this moment I can look for something else. However, if this would be useful and is planned can you assign it to me?

Thanks!

[Frooodle]

I don't think I want to complicate things with rc4 and aes 128 bitid rather continue with Rc4 40 128 aes and 256 aes

I agree with ensuring 40 is not default

Making 128 or 256 default makes much more sense

[balazs-szucs]

Got it! Thanks

Then I guess:

• keep 3 option: RC4 (40-bit), AES (128-bit), AES (256-bit)
• AES (128-bit) would be default
• And keep the label

[balazs-szucs]

Re-reading maybe I misunderstood: Keep options as 40, 128, 256 just update 128, 256 options to AES, or update options in front-end to RC4 and AES and the bit?

[Frooodle]

So pdfbox in backend should already use rc4 for 40 bit and aes for rest

[Frooodle]

So no change for anything

[balazs-szucs]

When I checked in Adobe it says 128 RC4 for 128 bit.

I am running the latest release maybe this was changed recently. Sorry for not doing due-diligence.

[balazs-szucs]

Strange indeed, now I passworded PDF using SPDF and picked 256 bit, and Adobe still shows 128 bit RC4 not sure why. Anyways, sorry the time-waste. I am probably missing some important detail :)

[balazs-szucs]

Anyways, I will submit PR for default change keep back-end as is.

[Frooodle]

Hmmm that is interesting though Certainly worth looking into, it could be pdfbox encryption is bugged Regardless I don't want to over complicate things to the user about encryption types I'd rather just ensure we use the best version for each

[balazs-szucs]

Sorry, my bad the PDF I used was outdated. Created fresh pdf (with a more modern tool), and it shows up right. It has to do with the fact that older PDF, e.g PDF 1.2 or something is NOT compatible with AES. Hence the "bug" (as OP mentioned)

So this was on me nothing wrong with the add password page/PDFBox, I just wasn't aware that I used an older PDF that do not support AES, and would default to RC4 regardless.

Atleast TIL something. Sorry for time-waste once again.