Documentation Index
Fetch the complete documentation index at: https://mintlify.com/apache/pdfbox/llms.txt
Use this file to discover all available pages before exploring further.
PDFBox provides two commands for managing PDF security: encrypt applies password-based or certificate-based encryption and sets access permissions, while decrypt removes encryption entirely so the document can be opened without a password. Both commands read and write standard PDF files.
PDF encryption requires the Bouncy Castle library on the classpath. The pdfbox-app standalone JAR bundles Bouncy Castle automatically. If you are using pdfbox-tools without the app JAR, add bcprov-jdk18on and bcpkix-jdk18on to your classpath.
Encrypt
The encrypt command protects a PDF with a standard password or an X.509 certificate. You can independently control eight access permissions. If no output file is specified, the input file is overwritten in place.Usage
java -jar pdfbox-app-3.0.0.jar encrypt -i <input.pdf> [options]
Options
| Option | Default | Description |
|---|
-i, --input | (required) | Path to the unencrypted input PDF |
-o, --output | (in-place) | Path for the encrypted output PDF; overwrites input if omitted |
-O | (none) | Owner password (ignored when -certFile is set) |
-U | (none) | User password (ignored when -certFile is set) |
-certFile | (none) | Path to an X.509 certificate file for public-key encryption; repeat for multiple recipients |
-keyLength | 256 | Encryption key length in bits: 40, 128, or 256 |
-canAssemble | true | Allow document assembly |
-canExtractContent | true | Allow content extraction |
-canExtractForAccessibility | true | Allow extraction for accessibility tools |
-canFillInForm | true | Allow form fill-in |
-canModify | true | Allow document modification |
-canModifyAnnotations | true | Allow annotation modification |
-canPrint | true | Allow printing |
-canPrintFaithful | true | Allow high-quality (faithful) printing |
Examples
Encrypt with an owner and user password using 256-bit AES (default):java -jar pdfbox-app-3.0.0.jar encrypt \
-i document.pdf -o document-enc.pdf \
-O ownerpass -U userpass
java -jar pdfbox-app-3.0.0.jar encrypt \
-i document.pdf -o readonly.pdf \
-O ownerpass -U userpass \
-canPrint false -canModify false -canPrintFaithful false
java -jar pdfbox-app-3.0.0.jar encrypt \
-i document.pdf -o document-enc.pdf \
-certFile recipient.crt
Decrypt
The decrypt command removes all security from an encrypted PDF. You must supply the owner password; the user password alone is not sufficient. For certificate-encrypted PDFs, provide the keystore and optional alias. If no output file is specified, the input is overwritten.Usage
java -jar pdfbox-app-3.0.0.jar decrypt -i <input.pdf> [options]
Options
| Option | Default | Description |
|---|
-i, --input | (required) | Path to the encrypted PDF |
-o, --output | (in-place) | Path for the decrypted output PDF; overwrites input if omitted |
-password | (none) | Owner password for the PDF, or the password for the certificate keystore |
-keyStore | (none) | Path to the keystore holding the certificate used to encrypt the document (certificate PDFs only) |
-alias | (none) | Alias of the certificate entry within the keystore |
Examples
Decrypt a password-protected PDF and write to a new file:java -jar pdfbox-app-3.0.0.jar decrypt \
-i protected.pdf -o open.pdf -password ownerpass
java -jar pdfbox-app-3.0.0.jar decrypt -i protected.pdf -password ownerpass
java -jar pdfbox-app-3.0.0.jar decrypt \
-i cert-protected.pdf -o open.pdf \
-keyStore recipient.p12 -alias mykey -password keystorepass
