FOP supports encryption of PDF output, thanks to Patrick C. Lankswert. This feature is commonly used to prevent unauthorized viewing, printing, editing and copying text from the document annotations. It is also possible to ask the user for a password in order to view the contents. Note that there already exist third party applications which can decrypt an encrypted PDF without effort and allow the aforementioned operations, therefore the degree of protection is limited.

For further information about features and restrictions regarding PDF encryption, look at the documentation coming with Adobe Acrobat or the technical documentation on the Adobe web site.

Encryption is enabled by supplying any of the encryption related options.

An owner password with the -o option. This password is actually used as encryption key. Usually it is also used by most tools to disregard any restriction imposed on the PDF document.

If no owner password has been supplied but FOP was asked to apply some restrictions, a random password is used.

A user password, supplied with the -u option, will cause the PDF display software to ask the reader for this password in order to view the contents of the document. If no user password was supplied, viewing the content is not restricted.

Further restrictions can be imposed by using the -noprint, -nocopy, -noedit and -noannotations options, which disable printing, copying text, editing in Adobe Acrobat and making annotations, respectively.

In order to use PDF encryption, FOP has to be compiled with cryptography support. Currently, only JCE is supported. JCE is part of JDK 1.4. For earlier JDKs, it can be installed separately. The build process automatically senses JCE presence and installs PDF support if possible, otherwise, a stub is compiled in.

Cryptography support must also be present at run time. In particular, a provider for the RC4 cipher is needed. Unfortunately, the sample JCE provider in Sun's JDK 1.4 does not provide RC4. If you get a message saying

then you don't have the needed support.

There are several commercial and a few Open Source packages which provide RC4. A pure Java implementation is produced by The Legion of the Bouncy Castle. Mozilla JSS is an interface to a native implementation.

The pure Java implementation from Bouncy Castle is easy to install.

1. Download the binary distribution for your JDK version. If you have JDK 1.3 or earlier you must also download a JCE from the same page.
2. Unpack the distribution. Add the jar file to your classpath. A convenient way to use the jar on Linux is to simply drop it into the FOP lib directory, it will be automatically picked up by fop.sh. If you have JDK 1.3 or earlier don't forget to install the JCE as well.
3. Open the java.security file and add
   security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider,
   preferably at the end of the block defining the other crypto providers. For JDK 1.4 this is detailed on Sun's web site.