Password Protect a PDF Without Installing Anything

Why a native tool matters

Searching for how to password protect a PDF online produces a flood of results, and almost all of them send you to a web uploader. Most of those uploaders are reputable, but their security model is not what most people assume. Your unprotected PDF is transmitted across the internet, processed on somebody else's server, and held there until a retention timer expires. For a birthday invitation that is perfectly fine. For a tax return, a medical record, a signed contract, a passport scan, or an internal corporate memo, it is not.

A native tool keeps the file on your machine. The bytes never leave your hard drive. The encryption happens in a local process, the output is written locally, and the only network activity is whatever you happen to be doing otherwise in the background. That is the baseline privacy property you want when you are protecting a document that contains anything personally identifiable, financially sensitive, or legally material.

Native tools also save you from the recurring surprise of finding that a free online service has added a watermark, capped the page count, or converted your pristine vector PDF into a lossy rasterized copy. Preview, LibreOffice, and the command-line options all preserve the original PDF content byte for byte and only add the encryption layer.

macOS Preview

macOS has shipped Preview with every release since Mac OS X 10.0 in 2001. Since OS X Lion it has been able to encrypt PDFs, and since macOS Ventura the default algorithm has been AES-128. The workflow is fast enough to be genuinely usable day to day.

Open the PDF by double-clicking it. From the menu bar, choose File and then Export. The save dialog appears. Below the filename you will see a disclosure triangle labeled Show Details or Options. Expand it. A pair of checkboxes becomes visible: Encrypt and, on newer releases, Require password to copy text, images and other content. Tick Encrypt, type a password, confirm it, and click Save. The output file is a new PDF with the password requirement baked in.

Two subtle points are worth knowing. First, the Encrypt checkbox on older macOS versions uses RC4 rather than AES. Any Mac running Big Sur or later defaults to AES-128. If you are on High Sierra or earlier and the document is sensitive, prefer one of the other methods below. Second, Preview's encryption covers both opening and the permission flags. The single password it asks for serves double duty as the open password and the owner password, so recipients who can open the file can also print and copy from it. That is the same behaviour as most consumer tools.

Windows using Print to PDF and browser workflows

Windows 10 and Windows 11 both ship with a virtual printer called Microsoft Print to PDF. It can turn any document into a PDF, but it cannot add a password during the save. That is the gap most people run into. The native workaround is to chain two steps: print to PDF first, then encrypt the result with a separate native tool.

The most seamless option on Windows is to use your Chrome or Edge browser as the intermediate. Upload the PDF to Google Drive from your Google account in the browser, open it in the Drive preview, press Ctrl+P, pick Save as PDF, and in the dialog's advanced options there is no direct Encrypt toggle. For encryption you instead drop the file onto an online tool, which defeats the purpose. The browser-only workflow is therefore not sufficient by itself on Windows.

The realistic no-install Windows path is to write the PDF to an encrypted location rather than to the PDF itself. Windows includes BitLocker on Pro, Enterprise, and Education editions. You can create a small BitLocker-protected VHDX virtual disk, mount it, drop your PDFs inside, and hand the mounted disk image to the recipient with a separately shared password. The PDFs themselves remain unencrypted, but the container is AES-256 and the workflow uses only Windows components. This is the answer most Windows IT departments already use internally.

If a proper one-file-one-password solution is required and installing LibreOffice is acceptable, the LibreOffice method described next is dramatically simpler than anything Windows ships natively.

LibreOffice Draw (cross-platform)

LibreOffice Draw can open PDFs directly and re-export them. Its PDF export dialog has a Security tab with password protection and explicit restriction flags. The encryption is AES-256, the strongest option in the PDF specification. If LibreOffice is already on your machine this is the single best native option on any platform.

Open LibreOffice, choose File and Open, and point it at your PDF. Draw loads the file and shows it as an editable canvas. You do not need to edit anything. From the menu bar pick File and then Export As, then Export as PDF. A dialog appears with multiple tabs. Click Security. Tick Set Open Password, enter your password twice, and click OK. In the General tab confirm that the Range is set to All and press Export. Save the output. The result is an AES-256 encrypted PDF.

LibreOffice also exposes the separation between open password and permission password that the PDF specification was designed around. On the Security tab you can set an open password that blocks viewing, a permissions password that only restricts printing and copying, or both. Unlike Preview, the tool respects the difference. If you want a document that opens without a password but cannot be printed, LibreOffice is one of the few no-cost tools that can produce that configuration properly.

Google Drive and the save-through-print trick

Google Drive does not have a direct Encrypt PDF command. However, a clever workflow combines Drive's view with the Chrome browser's print-to-PDF feature and a third-party PDF processor that runs in-browser to produce an encrypted output. Because this introduces a third party, it is not strictly native and falls outside the scope of this article. The Drive-only options are limited to sharing with per-user permissions, which can be preferable to passwords when you know the recipient's Google account.

The legitimate no-install Drive path is to share the document to the specific Google accounts that need it, and to set the link access to Restricted. Anyone outside that list is blocked. That is a different security model than a password, but for recipients who already use Google Workspace it is arguably stronger. The key is held by Google and tied to a specific identity, rather than a shared secret that can leak.

Encryption strength comparison

For a deeper explanation of what these revisions mean internally, see how PDF encryption works. The short summary is that R4 and R6 both resist offline brute force when paired with a strong password, R3 is merely slow, and anything without an algorithm is not encryption at all.

Choosing a password that actually protects

A native tool is only as good as the password you feed it. AES-256 with a dictionary word or a pet's name is effectively unprotected because modern GPU hardware can test tens of millions of passwords per second against the relatively lightweight PDF key derivation. Our own recovery success rates show exactly how quickly weak passwords fall. For long-term protection, aim for a passphrase of at least four random words, or a randomly generated string of twelve or more characters that mixes classes.

Avoid date-based passwords for confidential files. Attackers who know who owns the document can guess birthdays, anniversaries, and join dates within seconds. Avoid including the recipient's name, which is often one of the first guesses any targeted attacker will try. A password manager such as the free Bitwarden, KeePassXC, or the one built into modern browsers will generate and store these passwords without forcing you to memorize them.

Finally, send the password through a different channel than the PDF. An encrypted PDF emailed together with its password in the body of the same message is equivalent to leaving a labeled key under the doormat. Use a phone call, a text message, or a separate chat platform to deliver the password.

Mobile devices: iOS and Android

On iOS and iPadOS the Files app pairs with Preview on macOS in an obvious way: open any PDF, tap Share, and then Print. In the print preview, pinch-zoom to expand a page to full screen. That gesture turns the print dialog into an interactive preview that can then be re-shared as a new PDF. Unfortunately, at no point in this chain does iOS offer an Encrypt option. The OS simply does not have a native PDF encryption feature. Workarounds involve third-party apps or the Shortcuts app, which can automate a LibreOffice-in-the-cloud routine if you have one set up. For strictly no-install iOS, the honest answer is to AirDrop the PDF to a nearby Mac and encrypt with Preview there.

On Android the situation is slightly better because Google Drive is assumed to be available. Open the PDF in Drive, but Drive itself still lacks a direct Encrypt button. The practical path on Android is to install Microsoft Office Mobile or WPS Office, both of which are free and both of which can export a PDF with a password. Pure native no-install Android encryption of PDFs is not available. If you are locked to native-only, you will have to mail the document to a desktop for the final step.

One underrated option on both platforms is to wrap the PDF inside an encrypted ZIP archive rather than encrypting the PDF itself. iOS Files and Android Files both ship ZIP tools, but neither one sets a password during creation. You need Keka on macOS or 7-Zip on the desktop for the actual encrypted ZIP. Once the ZIP exists, any mobile device can email it and any recipient can open it with the ZIP password on any platform. The PDF inside remains untouched.

Avoiding common pitfalls

The first and biggest pitfall is re-saving a password-protected PDF without its security and expecting it to remain encrypted. If Preview or LibreOffice opens an encrypted file, decrypts it for display, and then exports without re-applying the Encrypt option, the output file is completely unprotected. The source is still encrypted, but the new export is not. Always tick the Encrypt box every time you export, even when the original was encrypted.

The second pitfall is flattening. Native tools usually preserve the PDF structure, but if you route the file through Print to PDF as part of the encryption chain, you convert the vector PDF into a stream of rasterized pages. Text selection stops working, searchable content disappears, and file sizes balloon. For short documents that is acceptable. For a hundred-page technical report it is not. Use direct export whenever you can and reserve Print to PDF for the final one-off cases where no other tool is available.

The third pitfall is metadata. Preview's export preserves most metadata including author, creation date, and modification history. LibreOffice strips some of it but not all. If you are publishing a sensitive document to an external recipient, run the encrypted output through a metadata scrubber such as ExifTool or use the file's Properties panel in Acrobat to clear personal details. Encryption hides the content, but an unprotected author field on an encrypted document can still leak information about who produced it.

The fourth pitfall is forgetting the password yourself. If you pick a random twenty-character passphrase to encrypt a document you will need again in two years, store the password in a password manager before you close the file. Our own service exists precisely because people forget their own passwords regularly, but the easiest forgotten-password problem is the one you never have. A one-line note in a password manager takes five seconds and saves a lot of trouble later.