Secure Gmail PDF Unlock: Apps Script to Drive

Introduction

Every day millions of users receive password‑protected PDF attachments in Gmail – invoices, contracts, or confidential reports that need to be archived. Manually downloading each file, opening it, removing the password, and then re‑uploading it to Google Drive is tedious and prone to error. Fortunately, Google’s ecosystem provides a way to automate the whole process: a small Apps Script can scan your inbox, extract the protected PDFs, decrypt them, and store the resulting unencrypted files directly in Drive. In this article we’ll walk through the required setup, the core script logic, the decryption step, automation via triggers, and the security measures you should adopt to keep your credentials safe.

Preparing the Workspace

Before any code is written, you must give the script the permissions it needs.

• Enable the Google Drive and Gmail APIs in the Google Cloud console linked to your account.
• Create a new Apps Script project from script.google.com and name it (e.g., “PDF Unlocker”).
• Store the PDF password securely using the script’s Properties Service – this keeps the secret out of the source code.

With these prerequisites in place, the script will be able to read messages, write files, and access the stored password without exposing it to the browser.

Detecting and Downloading Protected PDFs

The core of the automation is a function that searches Gmail for unread messages containing PDF attachments, downloads the binary data, and saves a temporary copy to Drive.

• Use GmailApp.search() with a query such as has:attachment filename:pdf is:unread to fetch relevant threads.
• Iterate through each GmailMessage, locate the attachment object, and call attachment.getBlob() to retrieve the file content.
• Create a temporary file in a hidden folder (e.g., “PDF‑Temp”) using DriveApp.createFile(blob). This file remains password‑protected until the next step.

Removing the Password from the PDF

Google Apps Script cannot directly modify PDF encryption, so an external service is required. One reliable option is the PDF.co API, which offers a “PDF Unlock” endpoint.

• Send an HTTPS POST request from the script (using UrlFetchApp.fetch()) with the temporary file’s Base64 content and the stored password.
• The API returns a new PDF byte stream without encryption; capture this response and create a final Drive file in the destination folder (e.g., “Unlocked PDFs”).
• Delete the temporary encrypted copy to avoid clutter and accidental exposure.

Because the decryption happens server‑side, the password never travels in plain text within your Gmail or Drive environment.

Automating the Whole Process

Manual execution is useful for testing, but the real power comes from automation.

• Set up a time‑driven trigger (e.g., every 10 minutes) that runs the main function, ensuring newly arrived PDFs are processed promptly.
• Alternatively, create a Gmail filter that applies a specific label (e.g., “UnlockPDF”). Modify the script to only act on threads with that label, giving you granular control over which attachments are unlocked.
• After a successful unlock, mark the original Gmail messages as read or move them to an archive label to prevent duplicate processing.

Security and Best Practices

Automating password removal raises legitimate security concerns; follow these guidelines to protect your data.

• Never hard‑code the PDF password. Use PropertiesService.getScriptProperties() to store it, and restrict script access to your Google account only.
• Limit the API key for the decryption service to the specific endpoint and enforce IP‑based restrictions if possible.
• Store unlocked PDFs in a Drive folder with appropriate sharing settings – avoid “Anyone with the link” permissions unless absolutely necessary.
• Regularly audit the “PDF‑Temp” folder and the script’s execution logs to detect any unexpected activity.

Conclusion

By combining Gmail’s search capabilities, Google Apps Script, and a trusted PDF‑unlocking API, you can transform a repetitive manual task into a seamless, automated workflow. The process begins with preparing a secure script environment, proceeds through detecting encrypted attachments, leverages an external service to strip passwords, and finishes with organized storage in Google Drive. Automation triggers and Gmail labels keep the system running in the background, while best‑practice security measures ensure that passwords and confidential documents remain protected throughout. Implementing these steps will save you time, reduce human error, and give you instant access to previously locked PDFs directly from Drive.