Why does my Godot encrypted PCK still expose .gd source files?

Encryption requires a custom export template compiled with the same key as embedded constant. Stock templates ship with no key. Without rebuilding the template with GODOT_SCRIPT_ENCRYPTION_KEY set, the runtime cannot decrypt and the export gracefully falls back to plain text.

How do I build a Godot export template with a custom encryption key?

Generate a 64-hex-character key, set environment variable GODOT_SCRIPT_ENCRYPTION_KEY=YOURKEY, build Godot from source with scons platform=PLATFORM target=template_release, and use the resulting binary as your custom template path in the export preset.

How do I verify that PCK encryption worked?

Open the .pck or .exe with a hex editor. Search for known plaintext from your scripts (function names, hardcoded strings). With encryption applied, you should not find them; with default templates, you will see them clearly.

Fix: Godot Export PCK Encryption Key Not Applied

Quick answer: PCK encryption needs a custom export template compiled with GODOT_SCRIPT_ENCRYPTION_KEY baked in. Stock templates have no key. Build Godot from source with the key, point your export preset at that custom template, and the encrypted PCK will decrypt at runtime.

Here is how to fix Godot 4 export encryption that fails silently — you set a key in the export preset, export, and inspect the .pck only to find your scripts in cleartext. Encryption is a two-sided operation: the export tool encrypts with the key, and the runtime template decrypts with the same key compiled in. Stock templates have no key, so they cannot decrypt and the build pipeline falls back to plain.

The Symptom

You set Encrypt PCK and provide a 64-hex-char key in the Android/Windows/etc. export preset. Export succeeds. Run a hex dump on the .pck or game executable; readable strings, GDScript source, and resource paths appear clearly.

What Causes This

Stock template has no key. The runtime side of decryption needs the key compiled in as a constant. Stock templates ship without one, so the encryption step is a no-op.

Wrong key length. Godot expects exactly 64 hexadecimal characters (32 bytes). Shorter or longer keys are rejected.

Custom template path missing. The export preset has Custom Template fields. If empty, stock templates are used regardless of key settings.

Mismatched build flags. If the template was built without module_mbedtls_enabled=yes, encryption support is missing entirely.

The Fix

Step 1: Generate a strong key.

# 32 bytes = 64 hex characters
openssl rand -hex 32
# Example output: 2bf5...d0a3 (64 chars total)

Save this in a password manager and a CI secret. Losing it means losing access to encrypted assets.

Step 2: Build Godot from source with the key baked.

git clone https://github.com/godotengine/godot.git
cd godot
export SCRIPT_AES256_ENCRYPTION_KEY="your64hexkey"

# Build templates per platform
scons platform=windows target=template_release tools=no
scons platform=linuxbsd target=template_release tools=no
scons platform=android target=template_release tools=no

The compiled binary in bin/ is your custom export template. Recent Godot uses SCRIPT_AES256_ENCRYPTION_KEY; older 4.x and 3.x used GODOT_SCRIPT_ENCRYPTION_KEY. Check your version’s docs.

Step 3: Point the export preset at the custom template. In Godot Editor → Project → Export → (preset) → Custom Template:

Release: /path/to/godot.windows.template_release.x86_64.exe
Debug:   /path/to/godot.windows.template_debug.x86_64.exe

Also under Encryption:

Encrypt PCK:        On
Encrypt Index:      On
Encryption Key:     YOUR64HEXKEY (same as build env var)

Step 4: Verify encryption.

strings game.pck | head -50
# With encryption: mostly random output
# Without: readable script paths, function names

xxd game.pck | head -5
# With encryption: high-entropy bytes
# Without: PCK\x01 header followed by readable strings

Step 5: For Android, build templates per ABI. Android templates are split per architecture. Build all relevant ABIs and set the .apk template path in the export preset.

Securely Storing The Key

Never commit the key to your repo. Use environment variables in CI. For local builds, store in your shell profile or a .env file ignored by git. Rotate the key only between major versions; rotation invalidates older PCKs.

What Encryption Protects

Encryption raises the bar for ripping assets but does not prevent determined extractors. The key is in the binary; sufficiently motivated attackers can extract it. Use encryption to deter casual extraction; do not rely on it for DRM-grade protection.

“Encryption is two-sided. Custom template plus same key plus preset points at the template. Skip any step and you ship cleartext.”

Related Issues

For Android export keystore, see Android Keystore. For other export issues, see Export Template Version Mismatch.

Build template with key. Match preset key. Verify with hex dump. The PCK is opaque.