FyPDF — PDF & file conversion suite · Security

Seal it, sign it, redact what shouldn't leave.

Most online tools wave at security with a single 'add password' button and a black-marker bar that covers the text but doesn't remove it. The strong room does the notary's work. Four protocols, with the custody chain written down: AES-256 encryption with split user / owner passwords, PAdES B-T signatures that verify in Adobe and Preview, object-model redactions that aren't recoverable.

Open the strong room Read the 4 protocols

Custody chain stays explicit
Every operation names who can do what after it runs. Lock the file, and the password gates open / edit / sign / extract independently — not as one all-or-nothing flag.
Redactions are permanent
Redact PDF removes the underlying content from the document object model — not just paints a black bar over it. The redacted text is gone from the file, not hidden behind a layer.
Encrypted sessions for the heavy work
Protect, sign, and redact run on a one-time encrypted server session. Your file is held in volatile memory only for the duration of the operation; nothing persists after.
Outputs are real, signed PDFs
Signed PDFs verify in Adobe Acrobat, Preview, and any PDF reader that supports the standard. Encrypted PDFs honour AES-256, with permission flags the next viewer respects.

FyPDF

Custody

ARMED

Seal

Protect PDF

ARMED

Open

Unlock PDF

ARMED

Sign

Sign PDF

ARMED

Redact

Redact PDF

strong room · vault 04

4 pins · armed

Strong Room · 4 pins armed

AES-256Encrypted session

The Protocols Ledger

Four protocols, every one with custody written down.

Each row names the operation, the mode (in-browser vs encrypted session), the editorial promise, and the chain of custody it leaves behind — who can open it, who can change it, who can sign it, what cannot be recovered.

Protocols Register · Issue 06Security Track · 4 protocols armed

No.

Protocol

Mode

Promise

Custody chain

Open

01Pin

Protect PDF

Seal

Encrypted session

Lock a PDF with AES-256 encryption — separate user and owner passwords, per-permission flags for print / copy / edit / fill, and a one-time encrypted session for the operation itself.

Chain of custody

User pwd → can open. Owner pwd → can change permissions, lift restrictions.

02Pin

Unlock PDF

Open

In-browser

Lift the password on a PDF you have rights to unlock — runs entirely in your browser, password and file never leave your device.

Chain of custody

Anyone with the owner password can unlock. Output PDF is unrestricted.

03Pin

Sign PDF

Sign

Encrypted session

Counter-sign a PDF with a PAdES B-T signature — visible signature block, optional timestamp authority, and chain-of-trust data baked into the document.

Chain of custody

Signer asserts identity. Subsequent edits invalidate the signature.

04Pin

Redact PDF

Redact

Encrypted session

Permanently strip selected text, images, or regions from a PDF — content removed from the document model, not just painted over with a black bar.

Chain of custody

Redacted content cannot be recovered. Released document is safe to share.

Seal · best for

Pre-distribution lockdown · Confidential drafts · Per-recipient permission scopes

AES-256

Open · best for

Reclaiming archive masters · Re-editing legacy locked files · Pre-merge unblocking

Owner pwd required

Sign · best for

Contract execution · Approvals · Audit-grade signoff · Multi-party signing flows

PAdES B-T

Redact · best for

Legal disclosures · FOIA / RTI releases · Pre-share scrubbing · Compliance handoffs

Object-model strip

The Fidelity Manifesto

What the strong room never lets slip.

Four promises registered onto every protocol. The cheap path is to paint a black bar over text and call it 'redacted', or stamp a single password on a file and call it 'secure' — these are the four guarantees you give up when you take that path.

StrongboxPromise · 01

Custody chain stays explicit

Every protocol names exactly who can do what after it runs. FyPDF's Protect splits the password into user (open) and owner (change permissions), with per-flag controls for print / copy / edit / fill / form-fill. No all-or-nothing toggle, no silent permission inheritance — the chain is written down on the document and on the receipt.

SpecUser + Owner passwords · 5 permission flags · Per-recipient scopes · Receipt records the chain.

StrongboxPromise · 02

Redactions are permanent

Cheap redactors paint a black bar over the page and leave the underlying text in the file — copy-paste reveals it, search finds it, OCR recovers it. The Strong Room strips the content from the page object model first, paints the bar second. The output PDF cannot be reverted.

SpecObject-model strip · Text + image regions · No layer revert · Verified post-redaction.

StrongboxPromise · 03

Signatures verify in any reader

PAdES Baseline-T signatures with optional timestamp authority. Adobe Acrobat shows the green-tick signature panel, Preview shows the chain-of-trust, and any spec-compliant reader does the same. Multi-signer flows are supported with sequential locking.

SpecPAdES B-T · Timestamp authority · Visible signature block · Multi-signer sequential lock.

StrongboxPromise · 04

Encrypted sessions for the heavy work

Protect, sign, and redact run on a one-time encrypted server session — the file is held in volatile memory for the operation, then discarded. Nothing persists. Unlock runs entirely in your browser; the password and the file never leave your device.

SpecVolatile-memory sessions · No file persistence · TLS in transit · Browser-only Unlock.

The Tool Spreads

Read each protocol as its own datasheet.

What each protocol locks, opens, signs, or removes — and where it pairs back into the rest of the suite. Four spreads, in order; alternate sides so the rhythm stays scannable.

SpreadPDF → AES-256 PDF

Protect PDF

Lock a PDF with AES-256 encryption and explicit permission scopes. User password gates opening the file; owner password gates changing the permissions later. Per-flag controls let you allow viewing while disallowing print / copy / edit — useful for documents you want read but not lifted.

Preserves

Document content and structure
Embedded fonts and images
Bookmarks and annotations
Existing signatures (where present)

Transforms

Two-tier password (user + owner)
Per-permission flags (print, copy, edit, fill, form-fill)
AES-256 encryption replaces any prior encryption
Session receipt records permission chain

Formats.pdf in.pdf out (encrypted)AES-256

Open Protect PDF

Pairs withConvert Edit Office

cipher · AES-256Sealed

User pwd

·············

open

Owner pwd

·············

permissions

Flags

PRI

COP

EDI

FIL

FOR

AES-256 · two-tier · 5 flags

SpreadEncrypted PDF → Open PDF

Unlock PDF

Remove encryption and permission restrictions from a PDF you have rights to unlock. Provide the owner password; the operation happens entirely in your browser — no upload, no server in the loop. The output PDF is unrestricted: print, copy, edit, fill all freely available.

Preserves

Document content unchanged
Bookmarks, annotations, attachments
Embedded fonts and images at source quality

Transforms

Encryption removed
Permission flags reset to unrestricted
Owner / user password requirements stripped
Output PDF re-editable in any tool

Formats.pdf in (encrypted).pdf outin-browser

Open Unlock PDF

Pairs withConvert Organize Edit

cipher · removedOpen

→

In-browser · no uploadFile never leaves the tab

owner pwd · in-browser · no upload

SpreadPDF → PAdES B-T PDF

Sign PDF

Counter-sign a PDF with a PAdES Baseline-T signature. Place a visible signature block on a chosen page region; the signature carries chain-of-trust data, optional timestamp authority, and a hash of the document at signing time. Multi-signer flows lock each signature sequentially so the document can pass through several approvers in order.

Preserves

Document content (any change post-signature invalidates)
Existing signatures from prior signers
Annotations and form data up to the moment of signing

Transforms

Visible signature block added at chosen page region
PAdES B-T signature embedded with timestamp
Chain-of-trust data baked into the document
Sequential lock for multi-signer flows

Formats.pdf in.pdf out (signed)PAdES B-T

Open Sign PDF

Pairs withOrganize Office Advanced

page · signedVerified

Signed by2026-05-03 · 09:14

~ Anonymous Counsel

PAdES B-T · TSA timestamp

chain · 1 / 3

PAdES B-T · timestamp · multi-signer

SpreadPDF − sensitive → PDF

Redact PDF

Permanently strip selected text, images, or page regions from a PDF. The engine first removes the content from the document object model — characters, image XObjects, vector strokes — then paints the visible black bar on top. The output PDF carries no recoverable trace of the redacted material; copy-paste, search, and OCR all return nothing for the redacted regions.

Preserves

All non-redacted page content intact
Bookmarks, annotations, and structure tags outside redacted regions
Document metadata except where flagged

Transforms

Selected text → stripped from page content stream
Selected images → image XObject removed, opaque rectangle painted
Selected regions → vector & raster content within bounds removed
Redaction list saved as receipt for audit

Formats.pdf in.pdf out (redacted)audit receipt

Open Redact PDF

Pairs withOrganize Edit Advanced

Before§

Afterredacted

Audit receipt#4F-21-D8

· p. 02 · 3 regions · text

· p. 04 · 1 region · image

· object-model: stripped

object-model strip · audit receipt

Before · After

What changes about who can do what.

Three custody-chain transitions through the strong room. Each row carries the chain of custody recorded BEFORE the protocol ran and AFTER — with the document state to match.

Chain · beforeANYONE · open · edit · print · copyChain · afterUSER · open + read OWNER · permissions

Beforereceived

Open draft contract

Final-form contract, ready for execution. No password, no permission flags — anyone who receives it can edit, copy, print, or extract.

.pdf

Protect PDFOpen contract → sealed for execution

Afterreleased

AES-256 sealed PDF

Locked with two-tier password: counterparty receives the user password (open + read), counsel keeps the owner password. Print disabled, copy disabled, fill enabled.

.pdf

AES-256 · sealed

TakeawayGoes out for execution with the chain of custody written down — not implied, not 'on trust'.

Chain · beforeOWNER PWD · required to open or editChain · afterANYONE · open · edit · print · copy

Beforereceived

Locked legacy archive

PDF from a 2019 vendor, password-protected, no edit permission — but the workspace needs to merge it into the current quarter's bundle.

.pdf

AES-256 · sealed

Unlock PDFLocked archive → unlocked workspace

Afterreleased

Unrestricted PDF

Owner password applied, permissions reset, ready to merge with the rest of the bundle. Original archive copy preserved unmodified.

.pdf

TakeawayReclaims a legacy file for current work without breaking the archive copy.

Chain · beforeANYONE · can extract sensitive contentChain · afterNO-ONE · content removed from object model

Beforereceived

Internal draft with sensitive sections

Counsel-prepared draft, two paragraphs covering active litigation, three appendix pages with personally identifiable information.

.pdf

Redact PDFSensitive draft → release-ready

Afterreleased

Permanently redacted release

Sensitive paragraphs stripped from the page object model. Black bars where they used to be. Copy-paste returns nothing. Search returns nothing.

.pdf

TakeawayGoes out for FOIA / disclosure with no recoverable trace of what was removed.

Who works the strong room

Five regulars at the notary's desk.

The personas who reach for the strong room weekly — and the specific protocols they choose. Find the closest match to the file on your desk this morning.

Persona · 01The contracts admin

Sealed Friday, signed Monday, archived Tuesday

Contract package travels through legal, vendor, and signature workflows in three days. Each leg needs its own custody scope — counterparty gets read access, counsel keeps owner control, signature locks the executed copy.

Reaches for

Protect PDF · Two-tier · counterparty sees, counsel controls
Sign PDF · PAdES B-T signature on the executed copy

Persona · 02The IT / security lead

Encryption posture across the document estate

Every PDF leaving the company should ride on AES-256. Every received PDF that's locked needs to be cleanly unlockable when authorised. Auditors want a receipt for every operation that changed permissions.

Reaches for

Protect PDF · AES-256 · per-permission flags
Unlock PDF · In-browser · no upload trail

Persona · 03The legal counsel

Redactions that hold up to recovery attempts

Disclosure response can't ship a document where copy-paste reveals what was 'redacted'. Object-model stripping is the line; black-bar painting alone is malpractice.

Reaches for

Redact PDF · Object-model strip · audit receipt
Sign PDF · Counter-sign the redacted release

Persona · 04The HR lead

Personnel files that mind their permissions

Letters of offer, performance reviews, exit packages — everything needs viewing access for the recipient and owner control for the team. Some go to email, some to the LMS, some to the personal drive — different scopes per channel.

Reaches for

Protect PDF · Per-channel permission scopes
Redact PDF · Strip salary table before peer share

Persona · 05The finance audit

Counter-signed quarterly close, sealed for archive

Quarterly closes hit the audit trail. Each report needs a counter-signature from the finance lead, sealed permissions for downstream readers, and a redacted distribution copy that drops the per-employee comp lines.

Reaches for

Sign PDF · Counter-sign · multi-signer sequential
Redact PDF · Strip per-employee lines · keep totals

Common Questions

Before you turn the wheel, a few honest answers.

Question Index

Q01 · 01 / 07

What encryption does Protect PDF use?

FyPDF encrypts with AES-256 — the strongest standard the PDF specification supports. Two passwords are supported: the user password gates opening the file, and the owner password gates changing the permissions later. Per-permission flags (print, copy, edit, fill, form-fill) let you allow viewing while disallowing extraction — useful for documents meant to be read but not lifted.

Strong Room Reference · 01

7 questions in the strong-room FAQIssue 06 · Security

Turn the wheel

The vault is keyed. Tell it which pin to drop.

Drop the file, pick a protocol, take the result. AES-256 to seal, a key to open, PAdES B-T to sign, object-model strip to redact — four pins, one chamber, one custody chain written down on every release.

Open the strong room Tour every track in detail

Protocol dispatch · 4 pins

Issue 06

Protect PDFSeal · AES-256

Unlock PDFOpen · in-browser

Sign PDFSign · PAdES B-T

Redact PDFRedact · permanent

All protocols · audit receipt issued

One Suite · Seven Tracks · Twenty-eight Tools and CountingStart with the surface →