Encrypt embedded files & binary protection

We’re looking to deploy our application to a customer but, besides legal protection, are looking for protection of the binary as well to make decompiling unappealing. we already ship everything in a single binary by embedding all required external files inside the binary using //go:embed, but we’d like to encrypt those files so that they’re not readable as text directly in the binary. Does anybody have experience with this?

Besides, we’re looking to use GitHub - burrowers/garble: Obfuscate Go builds to obfuscate the source which would make it quite hard to decompile. Additionally, I’d like to check for the /etc/machine-id and the current date to be before X, which will hinder an opportunistic user but would be easy to circumvent for a hacker.

We can also set up a license master server and check if the license is valid, but again you could intercept the traffic or disable the if-statement to check the license quite easily. Any ideas?

What you are asking to do is fundamentally hard. Even if you encrypt the embedded files, your binary would presumably have to know how to decrypt them and thus that piece could be reverse-engineered. And I’m not super experienced with it, but I know LLMs are making reverse engineering easier than ever.

I think Garble is your best bet. It won’t be perfect, but it will accomplish your goal of at least making it more of a pain to reverse engineer. Shipping secrets to an untrusted environment outside of your control is never perfectly safe though.