Why does my Godot encrypted PCK still expose .gd source files?

Encryption requires a custom export template compiled with the same key as embedded constant. Stock templates ship with no key. Without rebuilding the template with GODOT_SCRIPT_ENCRYPTION_KEY set, the runtime cannot decrypt and the export gracefully falls back to plain text.

How do I build a Godot export template with a custom encryption key?

Generate a 64-hex-character key, set environment variable GODOT_SCRIPT_ENCRYPTION_KEY=YOURKEY, build Godot from source with scons platform=PLATFORM target=template_release, and use the resulting binary as your custom template path in the export preset.

How do I verify that PCK encryption worked?

Open the .pck or .exe with a hex editor. Search for known plaintext from your scripts (function names, hardcoded strings). With encryption applied, you should not find them; with default templates, you will see them clearly.

Fix: Godot Export PCK Encryption Key Not Applied

Quick answer: PCK encryption needs a custom export template compiled with GODOT_SCRIPT_ENCRYPTION_KEY baked in. Stock templates have no key. Build Godot from source with the key, point your export preset at that custom template, and the encrypted PCK will decrypt at runtime.

Here is how to fix Godot 4 export encryption that fails silently — you set a key in the export preset, export, and inspect the .pck only to find your scripts in cleartext. Encryption is a two-sided operation: the export tool encrypts with the key, and the runtime template decrypts with the same key compiled in. Stock templates have no key, so they cannot decrypt and the build pipeline falls back to plain.

The Symptom

You set Encrypt PCK and provide a 64-hex-char key in the Android/Windows/etc. export preset. Export succeeds. Run a hex dump on the .pck or game executable; readable strings, GDScript source, and resource paths appear clearly.

What Causes This

Stock template has no key. The runtime side of decryption needs the key compiled in as a constant. Stock templates ship without one, so the encryption step is a no-op.

Wrong key length. Godot expects exactly 64 hexadecimal characters (32 bytes). Shorter or longer keys are rejected.

Custom template path missing. The export preset has Custom Template fields. If empty, stock templates are used regardless of key settings.

Mismatched build flags. If the template was built without module_mbedtls_enabled=yes, encryption support is missing entirely.

The Fix

Step 1: Generate a strong key.

# 32 bytes = 64 hex characters
openssl rand -hex 32
# Example output: 2bf5...d0a3 (64 chars total)

Save this in a password manager and a CI secret. Losing it means losing access to encrypted assets.

Step 2: Build Godot from source with the key baked.

git clone https://github.com/godotengine/godot.git
cd godot
export SCRIPT_AES256_ENCRYPTION_KEY="your64hexkey"

# Build templates per platform
scons platform=windows target=template_release tools=no
scons platform=linuxbsd target=template_release tools=no
scons platform=android target=template_release tools=no

The compiled binary in bin/ is your custom export template. Recent Godot uses SCRIPT_AES256_ENCRYPTION_KEY; older 4.x and 3.x used GODOT_SCRIPT_ENCRYPTION_KEY. Check your version’s docs.

Step 3: Point the export preset at the custom template. In Godot Editor → Project → Export → (preset) → Custom Template:

Release: /path/to/godot.windows.template_release.x86_64.exe
Debug:   /path/to/godot.windows.template_debug.x86_64.exe

Also under Encryption:

Encrypt PCK:        On
Encrypt Index:      On
Encryption Key:     YOUR64HEXKEY (same as build env var)

Step 4: Verify encryption.

strings game.pck | head -50
# With encryption: mostly random output
# Without: readable script paths, function names

xxd game.pck | head -5
# With encryption: high-entropy bytes
# Without: PCK\x01 header followed by readable strings

Step 5: For Android, build templates per ABI. Android templates are split per architecture. Build all relevant ABIs and set the .apk template path in the export preset.

Securely Storing The Key

Never commit the key to your repo. Use environment variables in CI. For local builds, store in your shell profile or a .env file ignored by git. Rotate the key only between major versions; rotation invalidates older PCKs.

What Encryption Protects

Encryption raises the bar for ripping assets but does not prevent determined extractors. The key is in the binary; sufficiently motivated attackers can extract it. Use encryption to deter casual extraction; do not rely on it for DRM-grade protection.

Understanding the issue

Export pipelines transform development assets into shipping packages. Each transformation can introduce subtle changes that produce bugs only visible in the exported build.

The specific bug described above is the kind that surfaces during integration rather than unit testing. It depends on a combination of factors: the asset configuration, the runtime state, the platform's specific behavior. In isolation, each piece looks correct; in combination, the bug emerges. This is why thorough integration testing - playing the actual game in realistic conditions - catches things that automated tests miss.

Why this happens

This bug class disproportionately affects late-stage development. The work to surface it is interactive testing in realistic conditions, which only really happens after the gameplay is in place and assets are populated. Catching it early requires deliberate testing of conditions that look unimportant.

At the engine level, the behavior comes from a deliberate design decision in Godot. The engine team chose a particular trade-off - usually performance versus convenience, or generality versus specificity - and that trade-off has consequences when you push against it. Understanding the trade-off is what turns 'this bug is mysterious' into 'this bug is the expected consequence of this design'.

Verifying the fix

For shipping games, the safest verification is a staged rollout. Apply the fix to 1% of players for 24 hours; watch the affected metric; expand if green. Skipping the staged rollout means the verification is the entire player base, which is too high a stakes for most fixes.

Reproducibility is the prerequisite for verification. If you can't reliably reproduce the bug pre-fix, you can't reliably verify it post-fix. Spend time getting a clean reproduction before you write any fix code. The fix is fast once you understand the reproduction; the reproduction is the slow part.

Variations to watch for

Related bug classes often share the same root cause. If you find yourself fixing this issue, look for cousins: similar symptoms in adjacent systems, the same data flow but a different value, or the same fix pattern in another module. The catalog of 'we've seen this before' becomes valuable institutional knowledge.

Adjacent bugs often share a root cause. After fixing the case you've found, spend an hour searching the codebase for similar patterns. What's the same call with different arguments? The same data flow with a different entity type? The same lifecycle issue in a sibling system? Each match is a candidate for the same fix, or a related fix that prevents future bugs of the same class.

In production

In shipping builds, this issue may interact with other production-only behavior. Stripping, encryption, asset bundling, and platform-specific code paths can each modify the symptoms. When players report a related issue, capture build SHA, platform, and any feature flags - those three fields cover most of the production-only variations.

When triaging a similar issue in production, prioritize gathering data over hypothesizing causes. A player report describes a symptom; what you need is a build SHA, a session timestamp, and ideally a screen recording or session replay. With those, the bug becomes tractable. Without them, you're guessing at hypothetical reproductions that may not match what the player actually hit.

Performance considerations

Performance implications matter when this bug class scales with player count or asset count. A bug that fires once per session is annoying; a bug that fires once per frame compounds. After fixing, profile the affected code path under realistic load. The fix that's correct for one entity may be too slow for ten thousand.

Diagnostic approach

The diagnostic tools available depend on your engine and platform. Use the engine's native profilers and debug overlays before reaching for external tools. The native tools have context that external tools lack - they know which subsystem owns the code, which assets are loaded, and what state the engine is in.

For Godot-specific diagnostics, the editor's profiler is the canonical starting point. Capture a representative frame with the symptom present; compare against a frame without the symptom; the diff often points directly at the cause. If the symptom is non-deterministic, capture multiple frames and look for the pattern - the cause is usually a state transition or a specific input value rather than a continuous effect.

Tooling and ecosystem

The tooling around this bug class matters as much as the fix itself. Good logging, accessible profilers, and clear error messages turn 30-minute investigations into 5-minute ones. If your project doesn't have visibility into this code path, the first fix should add the visibility - the second fix uses it.

Within Godot, the relevant diagnostic surfaces include the standard frame debugger, memory profiler, and engine-specific debug overlays. Each one shows a different facet of what's happening. The frame debugger reveals draw call ordering and state transitions; the memory profiler shows allocation patterns; the debug overlay reveals per-system state. Bugs that resist one tool usually surrender to another - the trick is knowing which tool to reach for first.

Edge cases and pitfalls

Edge cases for this class of issue often involve specific timing: the first frame after a state change, the last frame before a transition, frames where multiple subsystems update simultaneously. Reproducing these reliably is part of what makes the bug class hard to test.

When writing a regression test for this fix, focus on the boundary conditions that surfaced the original bug. Tests that exercise the happy path catch obvious regressions; tests that exercise the boundary catch the subtler regressions that look like new bugs but are really the original returning. The latter are the tests that earn their keep over the long life of the project.

Team communication

When this bug class affects multiple teams (often the case for cross-system issues), early communication prevents duplicate work. The team that owns the symptom may not own the cause. A 15-minute conversation at the start of triage often saves hours of independent investigation.

If this fix touches a system several engineers work in, a short writeup in the team's engineering channel helps. Not a full design doc - a paragraph explaining what was wrong, what's fixed, and what to watch for. Future engineers encountering similar symptoms will search for the fix; making it findable is a small investment that pays back later.

“Encryption is two-sided. Custom template plus same key plus preset points at the template. Skip any step and you ship cleartext.”

Related Issues

For Android export keystore, see Android Keystore. For other export issues, see Export Template Version Mismatch.

Build template with key. Match preset key. Verify with hex dump. The PCK is opaque.