PyInstaller Encryption --key

Pyinstaller optionally encrypts the python sources with a very strong method.

Of course without the key it is nearly impossible to extract the files.

BUT the sources still need to be accessed at run time or the program couldn't work (or someone would have to provide the password each time, like protected excel files for instance).

It means that the key lies somewhere embedded in the installed software. And since all this stuff is open source, looking at the source code tells you where PyInstaller embeds the key. Of course, it's not trivial, but not an encryption-breaking problem, just reverse engineering with - added - the source available.

Jean-Francois' answer above is correct - the encryption key has to be distributed with the executable somewhere or it couldn't self-decrypt when running.

According to a reverse engineering blog, the key is distributed in one of the .pyc files which is generated when building the executable. De-compiling this file may allow access to the key, which could then be used to decrypt the code at rest. (Since that blog is from 2017, the location he talks about may have changed, but it remains the case that the key has to be in there somewhere)