Note: this patch is outdated and won't be updated anymore. It is much better to use separate encryption tools like pdftk.
I developed a patch for adding \pdfcrypt on top of Red Hat's tetex package. It will not apply anywhere else cleanly, that's for sure.
Beside bringing the \pdfcrypt support in teTeX up to the state if the current TeXlive I've added some support for PDF1.4. It is limited to support for revision 3 security handlers. These provide:
I don't say that extra computations performed make the encryption better. Nor will the 128-bit keys help much with short passphrases. Anyway, it seems to work, xpdf, ghostscript, and acroread seem to like it. Even though acroread seems to have some problems with non-standard key lengths when using the owner password. Strange.
I'd like to know about problem so please report them to me.
A very brief introduction in the basic \pdfcrypt usage and the extensions I've implemented (so far).
To encrypt the PDF output of pdfTeX at (preferrably as the first line of the input file)
\pdfcrypt{owner "foo" user "bar" none}
That's one basic use. The owner password is set to foo and the user password to bar. The user, after identifying herself, is not allowed to do anything but looking at the document (that's what none tells the reader).
Instead of none more selective permissions can be granted or taken away. The complete list of recognized keyword is print, edit, copy, annotate, noedit, nocopy, noannotate. In addition there is all. The order in which the keywords are listed is importent. For instance, none edit disallows everything but editing while all noedit allows everything but editing. You get the idea. The PDF1.4 manual from Adobe contains more information. The flag maps directly to the permissions available in PDF1.3.
To support PDF readers in use these days the pdfTeX generated with these patches still defaults to PDF1.3. I.e., the encryption is limited to 40-bit keys and the simpler revision 2 security handler. To enable PDF1.4 encryption the pdftex.cfg file must contain
pdf14_compliant 1 crypt_key_bits 128
Copy the file which pdftex loads at the beginning (usually something like /usr/share/texmf/pdftex/config/pdftex.cfg into the current directory and add these two lines. The next pdftex run should pick up the new options. The crypt_key_bits field can be set to other values which must be multiple of 8 between 40 and 128 (inclusive).
The patch is provided without any waranty. If it breaks your system it's your problem not mine.