PDF Mavericks Logo
Privacy
India
No Upload

Aadhaar Masking Tool — UIDAI-Compliant in Browser

Free aadhaar masking tool that hides the first 8 digits per UIDAI Masked Aadhaar standard. Runs in your browser — Aadhaar PDFs never upload anywhere.

PDF Mavericks·
In this guide
  1. What an aadhaar masking tool does
  2. The UIDAI Masked Aadhaar standard
  3. Step-by-step: mask Aadhaar in your browser
  4. When the masked version is enough
  5. Five mistakes that defeat masking
  6. How this fits DPDP Act 2023
  7. Frequently asked questions

You handed over your Aadhaar PDF to a courier driver, a property agent, an insurance form filler, an HR onboarding portal — at least once this year. The number on it identifies you across every financial and government rail in India. UIDAI's answer to this problem is the Masked Aadhaar: a version of your Aadhaar PDF where the first 8 of the 12 digits are replaced with X, leaving only the last 4 visible. An aadhaar masking tool is what produces that file. UIDAI publishes the standard itself: the masked PDF is downloadable from the myAadhaar portal and is explicitly intended for use anywhere full Aadhaar identity proof is not legally required.

The wrinkle is that the myAadhaar portal requires login and OTP each time, which means most people end up emailing themselves their unmasked Aadhaar and trying to mask it themselves with whatever PDF tool they have on hand. That is where most of the privacy leakage in this flow happens — uploading unmasked Aadhaar PDFs to free online tools that promise to mask them, where the masking happens on a server that has already received the full number. PDF Mavericks' aadhaar masking tool closes that loop by running the masking inside the browser, with zero upload.

What an aadhaar masking tool does

A masking tool takes a PDF that contains a 12-digit Aadhaar number in either text form or image form, identifies the digit run, and renders the file with the first 8 digits hidden behind X characters. The output is a regular PDF that opens in any reader — Adobe Acrobat, Preview, Chrome, mobile readers — and displays the number as XXXX XXXX XXXX 1234, where 1234 are the last four digits of the original Aadhaar.

The technically interesting part is what "hide" means. There are two real techniques and one fake one:

  • Text rewrite — the tool reads the PDF's underlying text content stream, replaces the first 8 digits with X, and writes a new PDF. The masked digits are gone from the file entirely, no copy-paste recovery possible.
  • Rasterize-and-paint — the tool renders the page to an image, paints opaque rectangles over the digit positions, and embeds the resulting image as the new page. The original text is not present in the new file. This works for scanned PDFs where there is no text stream to rewrite.
  • Annotation overlay (the fake one) — drawing a black rectangle over the digits in Adobe Reader or Preview. This looks the same to a human eye, but the underlying text is intact and recoverable by anyone with three minutes and a copy-paste shortcut.

Our tool uses approach 1 when the input PDF has searchable text and falls back to approach 2 for scanned PDFs. We never use approach 3. If you have ever "masked" an Aadhaar by drawing a black box in a PDF reader, the recipient still has the full number.

The UIDAI Masked Aadhaar standard

UIDAI defines Masked Aadhaar in plain terms: hide the first 8 digits, keep the last 4. The format displayed on the masked PDF is three groups of four characters, with the first eight digits shown as X — for example, XXXX XXXX XXXX 5678. This shape is consistent across every Aadhaar document UIDAI issues: e-Aadhaar PDF, Aadhaar Letter scan, mAadhaar app export, and the DigiLocker copy.

The reason for keeping the last four digits visible is practical. When you have multiple Aadhaar PDFs in your records (yours, your spouse's, your parents', dependents'), the last four digits let you tell them apart without exposing the full number. Banks, insurers, and HR teams use the last four as a reference for paperwork — "Aadhaar ending 5678" — without ever needing the full identifier in their records.

The first 8 digits are the part UIDAI considers high-risk. With those eight, plus name and date of birth (which most KYC documents also display), an attacker has enough surface area to attempt identity correlation across financial systems. The last 4 alone do not give the same lift; brute-forcing the missing 8 digits at 100 million combinations defeats the purpose of partial disclosure because UIDAI rate-limits Aadhaar lookups against its database.

Step-by-step: mask Aadhaar in your browser

The aadhaar mask tool runs entirely in your browser. There is no signup, no upload, no email gate. The processing path is:

  1. Open pdfmavericks.com/aadhaar-mask in any modern browser (Chrome, Firefox, Edge, Safari).
  2. Drag the Aadhaar PDF into the drop zone, or click to pick it from your file picker. The file stays on your device — it is read into the browser's memory but not transmitted anywhere.
  3. The tool detects 12-digit patterns matching Aadhaar's format and highlights the proposed mask region. For text-based PDFs, this is automatic; for scanned PDFs, you draw the mask region over the digits manually.
  4. Confirm the mask. The tool rewrites the PDF — replacing the first 8 digits with X for text PDFs, or rasterizing the masked region for scans — and offers the masked file for download.
  5. Verify the result by opening the downloaded PDF, attempting to copy-paste the Aadhaar number, and confirming the first 8 characters come out as X. If you can paste back the full number, the mask did not take and the underlying text is still present.

The whole flow is under a minute for a one-page Aadhaar PDF. The DevTools Network tab confirms zero outbound requests during processing — a useful thing to demonstrate to anyone (HR, compliance, family members) skeptical of online tools.

When the masked version is enough

UIDAI is unambiguous: the masked Aadhaar is intended for any use where Aadhaar is collected as proof of identity but where the full number is not legally required for the transaction. In practice, that covers most situations the average Indian encounters in a year:

  • Bank KYC re-verification — your bank already has your full Aadhaar from account opening. Annual KYC refreshes typically only need proof that the document still exists; the masked copy is enough.
  • Employer onboarding — HR teams collect Aadhaar for PAN-Aadhaar linking, EPF, and address proof. Full Aadhaar is not legally required for any of these; the masked version satisfies all three.
  • Insurance KYC — IRDAI's 2022 master circular allows masked Aadhaar for proof-of-identity collection. Health, motor, term, and life insurance KYC all accept the masked version.
  • Lease and rental agreements — landlords and brokers often photocopy Aadhaar as part of police verification. Masked Aadhaar is what you should hand over; the police form itself only needs name, photo, and last 4 digits to cross-check.
  • Courier or delivery proof — anyone asking for Aadhaar at the door (parcel deliveries, gas refill agents, property visits) gets the masked version. Full Aadhaar at the door is the worst exposure surface.
  • Telecom re-verification — DoT's 2021 guidelines explicitly allow Masked Aadhaar for re-KYC of existing telecom subscribers.

The full Aadhaar is required only for direct UIDAI authentication — biometric, OTP, or face authentication via a regulated AUA / KUA. That flow does not involve PDF sharing at all; it goes through UIDAI's API. If a counterparty asks for an unmasked Aadhaar PDF, the right answer is to ask which authentication mode they are running and whether masked is acceptable. In our experience, it usually is.

Five mistakes that defeat masking

The mask is only as good as the technique behind it. Here are the mistakes we see most often, in order of how often they fail in real audits:

  1. Drawing a black box in Adobe Reader. The text underneath the box is intact. Anyone with copy-paste recovers the full Aadhaar in seconds. This is the single most common defeat.
  2. Saving as image-only PDF and assuming the digits are gone. Modern OCR (including the OCR built into iOS and macOS Preview) recovers digits from a flattened image with high accuracy. If the digits were visible to a human eye in the source, OCR can probably read them back.
  3. Masking only the visible page, missing a metadata copy. PDFs sometimes carry the Aadhaar number in document metadata (Title, Subject, Keywords) or in form fields that do not render on the page. A complete masking tool clears those too.
  4. Cropping the page instead of masking the digits. Cropping removes display, not data. The original page rectangle is still in the file and a determined recipient can recover it by adjusting the crop box.
  5. Sending the masked PDF along with the unmasked one. People do this. They mean to send only the masked version, but attach both to a single email by mistake. If you are emailing Aadhaar at all, double-check the attachments before sending and prefer download links that expire over permanent attachments.

The browser-local masker avoids #1 and #2 by default — text PDFs get a real text rewrite, scans get a rasterize-and-paint that does not leave the original digits in the file. #3 needs explicit metadata-clearing on the output, which the tool also does. #4 and #5 are operator errors that no tool can fully prevent.

Your files never leave your browser

PDF Mavericks processes everything locally using WebAssembly. No file is uploaded to any server. The whole point of an aadhaar masking tool is that an unmasked Aadhaar should never cross the wire — a server-side masker defeats its own purpose.

How this fits DPDP Act 2023

The Digital Personal Data Protection Act 2023 codifies a principle that already existed in good engineering practice: collect only the personal data you need, no more. Aadhaar is the canonical over-collected identifier in India — third parties ask for the full number out of habit even when they only need proof of identity.

For a data fiduciary (the entity collecting Aadhaar), accepting a masked version reduces the personal data they store, which lowers their breach exposure and their compliance obligations under DPDP. For a data principal (the individual), sharing the masked version reduces the surface area an eventual breach can expose.

DPDP does not by itself mandate masking — the Act sets out consent, purpose, and breach-notification requirements rather than specific technical formats. But masked Aadhaar is the natural default for any flow that does not legally require the full number, and the UIDAI standard is the format the regulator already accepts. Sharing the unmasked version when the masked one would do is a choice that creates avoidable risk for both sides.

Beyond Aadhaar: other Indian KYC documents to mask

Aadhaar is the most common identifier to mask, but not the only one. The same browser-local masking technique applies to other documents people share routinely:

  • PAN cards — the 10-character PAN is sensitive for tax-fraud and impersonation reasons; masking the first 5 characters is a common pattern.
  • Driving licence numbers — RTOs increasingly accept masked DL copies for proof of address.
  • Bank account numbers — for cancelled-cheque scans, masking everything except the last 4 digits is standard.
  • Voter ID (EPIC) — ECI's guidance allows masking for identity proof when full number is not required.

For multi-page documents that mix searchable text and scanned images, the right flow is to extract the text first, identify which pages need text rewrites versus which need rasterized masks, and apply the right technique per page. PDF Mavericks' toolset is designed to chain these steps without any file leaving the browser.

Frequently asked questions

What does an aadhaar masking tool actually do?

It hides the first 8 digits of your 12-digit Aadhaar number on a PDF, keeping only the last 4 visible. This matches the UIDAI Masked Aadhaar format (XXXX XXXX XXXX 1234). The masked file is what UIDAI says you should share when an entity needs proof of your Aadhaar but does not need the full number — bank KYC re-verification, employer onboarding, insurance, lease agreements, courier deliveries.

Is browser-local masking actually safer than uploading to a website?

Yes, materially. When you upload an unmasked Aadhaar PDF to a server-side masking tool, you have already exposed the full Aadhaar to that server, its logs, its backups, and any compromised insider — the masking happens after the leak. A browser-local tool runs the redaction inside your browser using WebAssembly and JavaScript; the file is never transmitted. You can verify this by opening DevTools, switching to the Network panel, and watching the conversion run with zero outbound requests.

Why does UIDAI mask only the first 8 digits and not the last 4?

The last 4 digits are kept visible so the holder can identify which Aadhaar a document belongs to without revealing the full number. UIDAI considers the first 8 digits the sensitive portion — they are sufficient to attempt identity correlation, account opening, or social-engineering attacks when combined with name and date of birth. Keeping the last 4 visible balances usability (you can recognize your own document) against exposure (an attacker cannot reconstruct the full number from the last 4 alone).

Will the masked Aadhaar be accepted as valid KYC?

For most third-party use cases — collecting Aadhaar for proof-of-address rather than full eKYC — yes. UIDAI explicitly issues Masked Aadhaar PDFs through the myAadhaar portal precisely because regulated entities are expected to accept it. Banks, employers, insurance, telecom for re-verification, and lease counterparties typically accept the masked version. Government-issued benefits requiring full-Aadhaar eKYC (PDS subsidies, DBT) still need the unmasked number; that flow goes through UIDAI's biometric or OTP authentication, not a PDF.

What happens if I draw a black box over the Aadhaar number in Adobe Reader?

Drawing a shape on top of text in a PDF reader does not remove the underlying text — it just paints a black rectangle on the rendered page. Anyone receiving that PDF can copy-paste from it, run OCR on it, or open it in a text editor and recover the full Aadhaar number. A real masking tool either rewrites the text content stream (replacing digits with X) or rasterizes the masked region so the underlying text is gone. Our aadhaar masking tool does the former for text-based PDFs and offers the latter as a fallback for image-based scans.

Can the tool detect Aadhaar numbers automatically or do I have to draw boxes by hand?

For text-based PDFs (the kind myAadhaar issues, and most digital downloads), it auto-detects 12-digit patterns matching Aadhaar's format and proposes the mask region — you confirm and download. For scanned PDFs (photocopy uploaded to a flatbed or phone scanner), the digits live as raster pixels rather than searchable text, so you draw the mask region manually over the rendered page. We pair this tool with PDF Mavericks' OCR step when scanned documents need text-layer extraction first.

Does masked Aadhaar also satisfy DPDP Act 2023 compliance?

Masking the first 8 digits is part of the data-minimization principle the Digital Personal Data Protection Act 2023 codifies — collect only what you need, no more. If a counterparty requires proof of Aadhaar identity but not the full number, sharing the masked version reduces the personal data they collect and store, which lowers their compliance footprint and yours. It does not by itself satisfy DPDP — that requires consent, purpose specification, and breach notification — but it is a necessary input.

Is there a file size limit for masking?

Soft limit of 50 MB per file for browser-memory reasons; most Aadhaar PDFs from myAadhaar are under 200 KB so this is rarely an issue. Larger PDFs (full enrolment-form scans, multi-page family bundles) work but slow down on older devices. If your file is over 50 MB, split it first using PDF Mavericks' split tool, mask each part, then merge if needed — every step still runs in the browser.

Related guides

Aadhaar Mask Tool — the actual toolUnlock password-protected Aadhaar PDFs first