Hashing's irrelevant here. Backend needs plaintext password. PDF uses KDF, not hashes for encryption. Use pikepdf or similar, AES-256. Frontend? HTTPS for password transit. User types original password to open. Clear now?