Precursor Howdy! So I've used Godot to make some casual games and was considering using it for some more serious projects. Now normally I wouldn't really care much about my scripts being exposed but as some of my plans involve a significant multiplayer competitive focus, both in direct competition and in high-score competitions, I don't like the idea of having all my code plain-as-day and, more importantly, editable by anyone who has a text editor and a curiosity towards the PCK file.

This is a real problem for, as an example, submitting something like a high-score. It is too easy to change a == to a !=, a false to true, or even just print out variables (such as any security data being passed around, even things like nonces and whatnot). I tested this myself and it took all of a minute to break things by editing the PCK file (albeit it was a dummy test project).

Goal I just want some basic encryption for my scripts. It doesn't need to deter hackers but it needs to be enough where they would actually have to un-encrypt, edit, and re-encrypt the code to actually get somewhere. This will push away most, if not all, casual users that gain some curiosity. Heavens knows when I was younger seeing a file with plain text was just begging to be tinkered with just to see what would happen. I want to discourage that since this can impact other players.

What I've Tried I saw the option for "Script Encryption" when exporting, given you provided a key. Looking at the docs I need to build things myself with a specific environment variable set. Simple enough. I have built the Godot engine from the source code with the encryption environment variable set to my generated key as well as release and debugging templates for HTML5 (the target I am currently testing, but I will be using it on others as well. I also plan to distribute some PCK files for extensions and tweaks). All of these had the environment variable set.

I ran the custom build, specified the custom templates, entered the key and nothing. All the scripts are still plain as day and editable from the PCK file.

Am I doing something wrong? Does this not do what I am expecting it to do? Can someone point me in the right direction here?

I am not sure if what I am trying to do is something that is actually properly implemented or not and would like some clarification.

If this is not something that is natively supported in Godot, is there any way I can do this manually myself? If it is I would love for someone to slap me and say, "You misunderstood this bit, fool!"

Client-side encryption is ultimately pointless, but as you say it can deter casual observers. Or like I like to say, it keeps honest people honest. The hackers will easily bypass.

I thought that is what the script encryption was supposed to do, but I never tested it myself. Maybe there is a bug, or (more likely) there was a step you missed (or that was undocumented or confusing).

And, yes, you can do this yourself with a tool/plug-in and C++ but I only got as far as confirming the API should support custom file operations, I haven't tried it so I don't know how involved it would be. Probably easier to find out what is wrong with the built-in encryption.

Client-side encryption is ultimately pointless, but as you say it can deter casual observers. Or like I like to say, it keeps honest people honest.

That's basically all I'm going for. I just want to prevent enough curiosity that would cause someone to start digging in.

I thought that is what the script encryption was supposed to do, but I never tested it myself. Maybe there is a bug, or (more likely) there was a step you missed (or that was undocumented or confusing).

This is the main thing here. I followed this section in terms of encrypting the scripts (and the HTML5 for the template, Linux for the actual editor build). There isn't much to it there so I'm not sure what I could have missed. The only build-related info is literally setting that environment variable.

If anyone has done this and had it work, was there anything extra you had to do? Has anyone had trouble with this? Can we confirm that this is even fully implemented? I'm going to keep tinkering and see if I can get it to work but I don't have a ton of time to devote to digging into the source or anything.

Thank you for taking the time to respond, @cybereality .

Yeah, the docs look simple enough. Are you exporting through the build menu (not just debug testing)?

How are you extracting the code? I tried a few things and all I get is gibberish (without encryption).

Yes, I am using Project -> Export -> Export Project.

I am just opening the PCK file with an average text editor. Kate, included with Kubuntu to be precise.

Here is a small snip from one of my experimental projects:

I think the problem here might be that you are web exporting. Might need to use an obfuscator separately after exporting.

Really? If that is a limitation of the web export then that is quite unfortunate. Obfuscation is a bit of a problem as well since I plan on expanding functionality through separately distributed PCK files over time.

Alright, I will just have to think of another solution or perhaps try a different engine for this specific project. Thank you for all the responses.

I am also going to be looking into distributing .pck files, though on desktop platforms, for a future project of mine. Hmm, I may need to investigate this. Hopefully it works as expected on desktop, as otherwise this could potentially be a snag for my project.

You can probably work the lack of encryption using C#, though it is not ideal. In theory, you can encrypt the .pck using a C# library and decrypt the .pck file right before loading using the same C# library. The key would be storing the unencrypted .pck file somewhere in memory so it can be loaded by Godot, but not leaving it there permanently. Maybe you could store it in the temp folder?

So I tried recompiling templates and this time targeted my native system (Linux 64bit) just in case it was a web issue.

At first I was getting decryption errors which means I wasn't compiling things correctly. It seems exporting the environment variable wasn't working right? At least, it was unable to 'decrypt' the scripts (even though they weren't encrypted). Setting the variable in the same line while compiling has removed the error but I still get no script encryption but it is running again. I did this for both compilation of the editor itself and export templates again, just to be sure.

The idea with C# is a good one, at least when it comes to distributing extra PCK files. Correct me if I'm wrong, C# isn't yet supported for the web export, right? I recall reading it was planned but don't recall if it was already added.

That said, there is still the issue of the original PCK file being unencrypted but I suppose if you just made that an 'importer' PCK with all the rest of the game code being in the encrypted PCK files then that is a solution. Thankfully Godot makes importing PCK files extremely easy. I am not very familiar with the C# language so I would have a bit to learn.

This is a very plausible solution. Since the goal is just to prevent the casual curiosity of a user, something like storing the unencrypted version temporarily in a hidden folder would probably be perfectly acceptable. It would be fantastic if there was a way to import a PCK from memory rather than from the drive but this, I would think, would be enough to deter the average user.

On this note, however, if there is someone that knows the state of the script encryption support and is willing to chime in that is still the preferred solution.