How to Password Protect a PDF on Linux Using the Command Line

qpdf is the recommended tool for PDF password protection on Linux. It is available in the repositories of all major distributions including Ubuntu, Debian, Fedora, Arch, and openSUSE. It is actively maintained, well-documented, and specifically designed for PDF transformation operations. qpdf supports AES-256 encryption (the strongest standard), both user password and owner password configuration, and fine-grained permissions control.

1. 1Install qpdf on your Linux distribution: run 'sudo apt install qpdf' on Ubuntu/Debian, 'sudo dnf install qpdf' on Fedora, or 'sudo pacman -S qpdf' on Arch Linux.
2. 2Apply AES-256 encryption with a user password: run 'qpdf --encrypt user-password owner-password 256 -- input.pdf output.pdf' — replace user-password and owner-password with your chosen passwords and the filenames accordingly.
3. 3Verify the encryption was applied correctly by running 'qpdf --show-encryption output.pdf' which will display the encryption type and permissions settings without requiring the password.

pdftk (PDF Toolkit) has been a staple of Linux PDF workflows for many years. The original pdftk is no longer maintained, but pdftk-java (a Java-based reimplementation) is available in most distributions and provides the same command syntax. pdftk uses AES-128 encryption for password protection, which is secure enough for most use cases though not as strong as qpdf's AES-256. Install pdftk-java on Ubuntu and Debian with sudo apt install pdftk. On Fedora, you may need to download the package from the pdftk-java GitHub releases page. The basic syntax for protecting a PDF with pdftk is: pdftk input.pdf output output.pdf owner_pw owner_password user_pw user_password encrypt_128bit. To apply restrictions without a user password (allowing opening but restricting actions), use: pdftk input.pdf output output.pdf owner_pw owner_password allow printing encrypt_128bit. pdftk supports permission flags including printing, DegradedPrinting, ModifyContents, Assembly, CopyContents, ScreenReaders, ModifyAnnotations, FillIn, and AllFeatures. Multiple permissions can be combined in a single command by listing them sequentially. pdftk is especially useful in shell scripts because it handles common errors gracefully and produces clear error messages when something goes wrong.

Ghostscript is typically pre-installed on many Linux distributions and serves as the engine behind many PDF tools. Its PDF security syntax is more verbose than qpdf but it is always available in headless server environments where qpdf may not be installed. The Ghostscript command for adding a password to a PDF is: gs -dBATCH -dNOPAUSE -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -sOwnerPassword=ownerpass -sUserPassword=userpass -dEncryptionR=3 -dKeyLength=128 -sOutputFile=output.pdf input.pdf. To use AES-256 encryption with Ghostscript, change -dEncryptionR=3 -dKeyLength=128 to -dEncryptionR=4 -dKeyLength=256. Ghostscript also supports permissions flags through the -dPermissions parameter, which takes a numeric value representing a bitmask of allowed operations. For example, -dPermissions=3904 allows printing and reading while disabling copying and editing. While Ghostscript's permission bitmask notation is less readable than pdftk's named flags, the Ghostscript documentation includes a complete table of permission bit values. Ghostscript is particularly valuable for automation pipelines and server-side PDF processing scripts because it is widely available and scriptable in nearly any language through subprocess calls.

The real power of command-line PDF protection on Linux appears when you need to process many files at once. A simple bash loop using qpdf can protect an entire directory of PDFs in seconds: for f in *.pdf; do qpdf --encrypt 'user-pass' 'owner-pass' 256 -- "$f" "protected-$f"; done. This command iterates over all PDF files in the current directory, applies AES-256 encryption with the specified passwords, and saves each protected file with a 'protected-' prefix. For more sophisticated workflows, you can read passwords from a file, apply different passwords to each document, or integrate the protection step into a larger document processing pipeline. xargs provides another approach for batch processing with parallel execution: find /path/to/pdfs -name '*.pdf' | xargs -P 4 -I {} qpdf --encrypt 'pass' 'ownerpass' 256 -- {} protected-{}. The -P 4 flag runs four processes in parallel, significantly speeding up large batches on multi-core systems. For enterprise automation where PDF protection is part of a document workflow, Python's PyPDF2 or pikepdf libraries (both wrapping qpdf) provide the most flexible approach, allowing per-document password generation, logging, and error handling.

Not every Linux user is comfortable with the command line, and even experienced terminal users sometimes want a quick graphical interface for a one-off PDF protection task. LazyPDF works in Firefox, Chromium, and Chrome on any Linux distribution. Since it processes files in the browser using JavaScript, there is nothing to install and no root permissions required. Navigate to lazy-pdf.com/en/protect in your Linux browser, upload your PDF, set a password, and download the AES-256 encrypted result. The browser-based approach is ideal for users who need to protect a single PDF without writing a shell command, for team members on Linux machines who are not comfortable with the terminal, or for situations where the command-line tools are not available — such as locked-down corporate Linux environments where package installation requires IT approval. The browser approach works seamlessly on Ubuntu, Fedora, Debian, Arch, Linux Mint, Pop!_OS, and any other distribution with a modern browser. For regular bulk workflows, the command-line tools covered above are more efficient. For occasional one-off tasks, the browser tool is faster to use with no setup overhead.