When you encrypt a PDF, your tool usually offers a choice between AES-128 and AES-256. Pick the bigger number and move on, right? Mostly yes, but the choice has more depth than the number suggests. Compatibility, performance, key derivation, and the threat model you are protecting against all play a role. This guide walks through the practical differences and when to pick which.
What AES is
AES, Advanced Encryption Standard, is the modern symmetric cipher used by nearly every system that encrypts data. It was standardized by NIST in 2001, replacing the older DES algorithm. AES is what protects HTTPS, Wi-Fi, full-disk encryption, and yes, PDF encryption.
The number after the AES (128, 192, or 256) refers to the key length in bits. A longer key means more possible keys an attacker would need to try in a brute-force attack.
- AES-128: 2^128 possible keys
- AES-192: 2^192 possible keys (rare in practice)
- AES-256: 2^256 possible keys
Both AES-128 and AES-256 are currently considered secure against brute-force attacks. The difference is the safety margin, AES-256 has a much larger safety margin against future advances in computing.
How PDF encryption uses AES
A PDF encryption header specifies the cipher and key length. When you set a password, the PDF tool:
- Derives a key from your password using a key-derivation function (KDF)
- Uses that key with AES to encrypt the PDF's content streams and metadata
- Stores some derived values (not the password itself) that allow the right password to decrypt
Two passwords can exist:
- User password, required to open the file
- Owner password, required to change permissions (like allowing printing or editing)
Both passwords flow through the same AES encryption. AES-256 in PDF was introduced in PDF 1.7 Extension Level 3 (around 2009) and is the default in PDF 2.0.
For background on the broader topic, see PDF encryption explained and how to password protect a PDF.
The compatibility story
This is the practical issue most users hit:
- AES-128. Supported by every PDF reader since around 2003. Effectively universal.
- AES-256. Supported by Acrobat 9+ (2008), Foxit 3+, modern macOS Preview, modern mobile readers. Some older readers, kiosk software, and embedded systems may fail to open the file.
- AES-256 R6 (revision 6 of the encryption algorithm, introduced in PDF 2.0). Supported by Acrobat X+ and modern readers; older readers may not handle it.
For documents shared widely, AES-128 is the safest compatibility choice in 2026. For documents shared within a modern ecosystem (recipients on current Acrobat / Foxit / Preview), AES-256 is the security-best choice. The gap has been closing, and AES-256 should be the default for new documents.
The security difference in practice
AES-128 is "secure". AES-256 is "more secure". The practical attacker would not brute-force either, they would attack the password.
Real-world PDF security breaks not by attacking AES but by attacking weak passwords. A 6-character password is brute-forced in seconds regardless of which AES variant protects it. A 20-character random password is effectively unbreakable even with AES-128.
What AES-256 protects against:
- Future advances in cryptanalysis that might weaken AES-128
- Quantum-computing speedups (Grover's algorithm halves effective key length, so AES-128 becomes "AES-64-equivalent" against quantum attacks while AES-256 remains "AES-128-equivalent")
- Regulatory requirements that mandate AES-256 specifically
For most practical threat models, both variants are over-engineered relative to the password's strength. Use AES-256 by default; pick a strong password regardless.
Key derivation: the actual weak link
The key derivation function (KDF) matters more than AES variant. PDF revisions use:
- Revision 2 (PDF 1.4-1.6): MD5-based KDF with a fixed salt. Weak, fast for attackers.
- Revision 3 and 4: MD5-based KDF with the file ID and document. Still relatively fast to brute-force.
- Revision 5 and 6: SHA-256-based KDF with proper salting and many iterations. The right choice.
When you choose AES-256 in modern tools, you usually get Revision 5 or 6 by default. This is what actually protects you from password attacks.
Older AES-256 PDFs (around 2008-2010) used Revision 5, which was found to have a vulnerability and was deprecated in favor of Revision 6. Acrobat X and later default to Revision 6.
Performance
Both AES-128 and AES-256 are fast in modern hardware (AES-NI instructions on most CPUs). For a typical PDF:
- Encryption time: milliseconds
- Decryption time: milliseconds
You will not notice a performance difference between AES-128 and AES-256 in any realistic workflow. Pick based on security and compatibility, not speed.
Permissions and the owner password
Even with a strong AES, PDF's permissions system has historic weaknesses:
- The user password controls who can open the file
- The owner password controls who can change permissions (print, copy, edit)
A PDF can be "encrypted" with just an owner password but no user password. The file opens for anyone but they cannot print or copy. This is a permissions feature, not strong encryption, most modern tools include a "Remove Restrictions" button that bypasses the owner password (the file is decrypted with a known empty user password, and the permissions field is then ignored).
For real protection of content from unauthorized viewing, always set a user password.
Choosing AES in tools
Adobe Acrobat Pro. File → Properties → Security → set Security Method: Password Security. In the dialog, choose "256-bit AES (PDF 1.7 or later)" for modern recipients, or "128-bit AES" for broader compatibility.
Foxit PDF Editor. Similar dialog with similar choices.
qpdf, CLI:
qpdf --encrypt user_pw owner_pw 256 -- input.pdf output.pdf
The 256 specifies AES-256. Use 128 for AES-128. See qpdf introduction.
Ghostscript:
gs -sDEVICE=pdfwrite -dEncryptionR=6 -dKeyLength=256 \
-sUserPassword=user_pw -sOwnerPassword=owner_pw \
-sOutputFile=encrypted.pdf input.pdf
-dEncryptionR=6 selects revision 6 (AES-256 with PDF 2.0-style KDF). See Ghostscript introduction.
What encryption does not protect against
Encrypted PDFs protect content from unauthorized viewing. They do not protect against:
- Screen captures. Someone can always photograph or screenshot the opened document.
- Print and re-scan. A printed PDF leaves the encryption ecosystem entirely.
- Recipient sharing. Anyone with the password can re-share.
- Side-channel attacks. Sophisticated attackers might extract keys via timing or other channels (academic, not practical concerns).
- Malicious readers. A compromised PDF reader can leak content even with strong encryption.
For high-confidentiality documents, encryption is one layer. See PDF and zero-trust document security for the broader posture.
Compatibility checklist
Before choosing AES-256 for a shared document, verify recipients can open it:
- Adobe Reader DC and later, fine
- Foxit Reader 3+, fine
- macOS Preview (modern), fine
- iOS Adobe Acrobat / Files app, fine
- Android Adobe Acrobat, fine
- Browser-based PDF viewers (Chrome, Firefox, Edge), fine
- Older Acrobat (< 9), fails
- Specialty industrial readers, kiosk software, certain embedded systems, verify
For documents going to known-modern recipients, AES-256 is safe. For documents going to a broad public, AES-128 is the conservative choice; AES-256 is the modern default and usually works.
Common gotchas
Mixed encryption in compound documents. Merging an AES-128 PDF with an AES-256 PDF produces inconsistent results. Standardize encryption before merging.
Re-saving an encrypted PDF can downgrade encryption. Some tools save modified PDFs at a lower encryption level than the original. Verify after editing.
Encryption invalidates signatures. A digitally-signed document cannot be re-encrypted without breaking the signature. Sign before encrypting, not after.
Permissions are advisory. PDF readers honor permissions on the honor system. A determined user with a Remove Restrictions tool ignores them. Do not rely on permissions for hard security.
Empty passwords. Some tools allow "no user password, owner-only encryption". The file is then trivially viewable. Always set a user password if you want viewing restricted.
Key compromise. If the password leaks, AES-256 becomes equivalent to no encryption for the leaker. Rotate passwords if compromise is suspected.
Password reset. There is no "I forgot the password" recovery for AES-256 PDFs. If the password is lost, the file is effectively gone. Plan for password storage in a secure system.
Stronger than AES: dedicated DRM
For workflows that need viewer restrictions, watermark embedding, expiration, and revocation, PDF encryption is not enough. Consider:
- Adobe Experience Manager Forms
- FileOpen
- Locklizard
- Vitrium
These are full DRM systems that extend beyond what PDF encryption can do.
Takeaway
For new PDFs in 2026, default to AES-256 with a strong password. Modern readers support it universally. Drop to AES-128 only if you have older recipients with old reader software. The key strength of either variant is irrelevant compared to the strength of your password, invest in a 20+ character random password, store it in a password manager, and you have effectively unbreakable protection. For the broader context, see PDF encryption explained and how to password protect a PDF. For browser-based encryption alongside other operations, Docento.app supports password-protecting PDFs without installing tooling.
