Security

Encryption

gpdf supports AES-256 encryption (ISO 32000-2, Rev 6) with owner and user passwords.

Owner Password Only

The PDF can be opened without a password, but editing is restricted.

import (
    "github.com/gpdf-dev/gpdf"
    "github.com/gpdf-dev/gpdf/encrypt"
)

doc := gpdf.NewDocument(
    gpdf.WithPageSize(gpdf.A4),
    gpdf.WithEncryption(
        encrypt.WithOwnerPassword("owner-secret-123"),
    ),
)

User & Owner Passwords

The user password is required to open the PDF.

doc := gpdf.NewDocument(
    gpdf.WithPageSize(gpdf.A4),
    gpdf.WithEncryption(
        encrypt.WithOwnerPassword("owner-pass"),
        encrypt.WithUserPassword("user-pass"),
    ),
)

Permission Control

Restrict specific operations like printing, copying, or modifying.

doc := gpdf.NewDocument(
    gpdf.WithPageSize(gpdf.A4),
    gpdf.WithEncryption(
        encrypt.WithOwnerPassword("owner"),
        encrypt.WithUserPassword("user"),
        encrypt.WithPermissions(encrypt.PermPrint|encrypt.PermCopy|encrypt.PermPrintHighRes),
    ),
)

Available permissions:

Constant	Description
`encrypt.PermPrint`	Allow printing
`encrypt.PermModify`	Allow modification
`encrypt.PermCopy`	Allow copying text
`encrypt.PermAnnotate`	Allow annotations
`encrypt.PermPrintHighRes`	Allow high-resolution printing
`encrypt.PermAll`	All permissions (default)

PDF/A Conformance

Generate archival-quality PDFs that comply with PDF/A standards.

PDF/A-1b

import (
    "github.com/gpdf-dev/gpdf"
    "github.com/gpdf-dev/gpdf/pdfa"
)

doc := gpdf.NewDocument(
    gpdf.WithPageSize(gpdf.A4),
    gpdf.WithPDFA(), // defaults to PDF/A-1b
)

PDF/A-2b with Metadata

doc := gpdf.NewDocument(
    gpdf.WithPageSize(gpdf.A4),
    gpdf.WithPDFA(
        pdfa.WithLevel(pdfa.LevelA2b),
        pdfa.WithMetadata(pdfa.MetadataInfo{
            Title:      "Annual Report 2026",
            Author:     "ACME Corp",
            Subject:    "Financial Report",
            Creator:    "gpdf",
            CreateDate: "2026-01-15T10:30:00+09:00",
            ModifyDate: "2026-01-15T10:30:00+09:00",
        }),
    ),
)

Level	Standard	Description
`pdfa.LevelA1b`	ISO 19005-1	PDF/A-1b (default)
`pdfa.LevelA2b`	ISO 19005-2	PDF/A-2b

Digital Signatures

Sign PDFs with CMS/PKCS#7 digital signatures using RSA or ECDSA keys.

Basic Signing

import (
    "github.com/gpdf-dev/gpdf"
    "github.com/gpdf-dev/gpdf/signature"
)

// Generate the PDF first
data, _ := doc.Generate()

// Sign it
signed, err := gpdf.SignDocument(data, signature.Signer{
    Certificate: cert,
    PrivateKey:  key,
},
    signature.WithReason("Approved"),
    signature.WithLocation("Tokyo"),
)

With Certificate Chain and Timestamping

signed, err := gpdf.SignDocument(data, signature.Signer{
    Certificate: cert,
    PrivateKey:  key,
    Chain:       []*x509.Certificate{intermediateCert},
},
    signature.WithReason("Contract signed"),
    signature.WithLocation("New York"),
    signature.WithTimestamp("http://tsa.example.com"),
)

Option	Description
`signature.WithReason(reason)`	Reason for signing
`signature.WithLocation(location)`	Location of signing
`signature.WithTimestamp(tsaURL)`	RFC 3161 timestamp authority URL
`signature.WithSignTime(t)`	Explicit signing time (default: now)