Email is not private. A message can be forwarded, sit unencrypted on servers, land in the wrong inbox because of one mistyped address, or be read by anyone with access to the mailbox. So when the attachment is a payslip, a medical record, a contract, an ID scan, or anything with personal or financial data, the file itself needs protecting — not just your hope that the email goes where you meant.
Password-protecting the PDF encrypts its contents: without the password, the attachment is unreadable even to someone who intercepts it. This guide covers doing that, and the part almost everyone gets wrong — how to give the recipient the password.
The steps
Open Blackpdf's Protect PDF tool and drop your file in.
Set a strong password. This is the encryption key for the document, so it deserves more thought than "the recipient's company name" — see the password advice below.
Apply the protection and download the encrypted file.
Attach the protected version to your email — never the original. It's worth double-checking you've grabbed the right file; sending the unprotected original defeats the whole exercise.
The mistake: don't email the password
This is the part that undoes everything. Encrypting the PDF and then putting the password in the same email — or the follow-up email — is like locking a door and taping the key to it. Anyone who can read the email can read the attachment. You've added a step, not security.
Send the password through a different channel:
- Text it to the recipient's phone.
- Call and read it out.
- Send it via a messaging app you both already use.
- If it must go by email, use a completely separate email thread and, ideally, a pre-agreed convention ("the password is your usual one" / "it's the reference number from our call").
The principle is simple: the lock and the key should never travel together. An interceptor who gets one shouldn't automatically get the other.
Choosing a password that actually protects the file
The encryption is only as strong as the password protecting it:
- Long beats complex. A memorable four-word phrase
(
copper-river-lantern-mist) is both stronger and easier to convey thanP@ss1!. - Don't use something guessable about the recipient or the document — their company name, the invoice number, today's date. Those are the first things anyone tries.
- Don't reuse a password you use elsewhere; you're handing it to someone else.
Common questions
What's the difference between protecting and restricting a PDF?
Protecting (this guide) encrypts the file so it can't be opened without the password — real security for a confidential attachment. Restricting lets anyone open it but switches off printing or copying — a deterrent, not encryption. For emailing something sensitive, you want protection.
The recipient can't open the protected file.
They need the password, and they need it correct. If they have it and it still won't open, check they're not being blocked by their mail system stripping the attachment, and that they're opening the protected file you sent, not a cached older one.
Can I protect a file that's already too big to email?
Protect it, but if it's over the limit, compress it first — do the compression, then the protection, since compression needs to read the file contents.
Do I have to remove the password later?
Only if you want to. The recipient can save an unprotected copy once they've opened it, or you can remove the password yourself from your original if you no longer need it protected. Keep an unprotected master copy somewhere safe so you're not locked out of your own document.
Is emailing a protected PDF enough for compliance (GDPR, HIPAA)?
Encrypting the attachment is a sensible baseline, but whether it satisfies a specific regulation depends on your organisation's policy and the data involved. Treat it as good practice, not an automatic compliance tick.
Can someone brute-force the password?
A short or guessable password, yes. A long passphrase, not realistically. This is exactly why the password choice matters — the encryption is strong; weak passwords are the way in.
Wrap-up
- Encrypt the file in Protect PDF with a long passphrase.
- Attach the protected version — not the original.
- Send the password separately — text, call, or a different channel. Never in the same email.
The lock and the key should never travel together. Get that right and an intercepted email is just an unreadable file. For choosing and managing passwords, see our password-protection guide.
