I'm trying to understand why PyInstaller documentation states that the --key argument to encrypt Python source code can be easily extracted:
Additionally, Python bytecode can be obfuscated with AES256 by specifying an encryption key on PyInstaller’s command line. Please note that it is still very easy to extract the key and get back the original byte code, but it should prevent most forms of “casual” tampering.
My basic understanding of AES-256 is that if no one has the encryption key you specify, they can't extract it "easily"
Does anyone have better understanding ?
Pyinstaller optionally encrypts the python sources with a very strong method.
Of course without the key it is nearly impossible to extract the files.
BUT the sources still need to be accessed at run time or the program couldn't work (or someone would have to provide the password each time, like protected excel files for instance).
It means that the key lies somewhere embedded in the installed software. And since all this stuff is open source, looking at the source code tells you where PyInstaller embeds the key. Of course, it's not trivial, but not an encryption-breaking problem, just reverse engineering with - added - the source available.