About Duplicati Security

Good evening, I would like to ask a question about Duplicati. If I take it, install Duplicati, configure it to run as a service and configure a password to open it, is there any way for another user or malware to be able to get the passwords registered in a Job, be it data encryption, cloud access or whatever, without entering my Administrator password?

I asked this because I imagined that after putting the password in Settings, the configuration file was somehow encrypted, however this week opening it as an application in Windows 10, by having the o Duplicati open in the browser, without even asking for the password in Firefox, Duplicati opened the administration screen and not the system login screen.

If that was ever asked a thousand excuses, but I did not find it.

I don’t know the answer to your question, but is your “no password requested” scenario similar to the one mentioned here?

Yes, the problem is exactly this. I already know this bug and it was to test to see if the same would occur in my environment that I was afraid.

If the program did not need my password to open then either of 2 cases should occur: The password is saved somewhere to decrypt in a token form or there is no encryption for the configuration files and someone who knows where they are can grab them and gain access to my storage in the cloud.

Both for me are complicated, because with this I can lose access to all data in the cloud, not only the backup of duplicati, but also my personal files.

@tacioandrade Currently the information is saved in the SQLite database and is not encrypted. So basically anyone with access to the machine where Duplicati is running from could potentially access the passwords. I believe this shortcoming is being addressed by the developers, but for now you have to use operating system security to manage this flaw. You can manage it by using ACLs in Windows/Linux/Unix, etc.

Thanks a lot for the answer, this really is a VERY serious failure as I see it, since any malware prepared to capture information from backup tools can easily grab Duplicati’s credentials and destroy all information.
On Linux systems for being more restrictive I can use up without fear, however in Windows Servers I am now with one foot behind.

@tacioandrade

In fairness the malware would have to specifically written to exploit Duplicati’s weakness. And the passwords are useless without the actual backup file themselves. However like I mentioned you can protect yourself by using the OS. For example in Windows make sure Duplicati is running as a Service started by a Admin user and restrict access to the Duplicati files using ACLs.

I think there are a few issues mixed up in here.

There are different credentials:

  1. Remote store credentials
  2. Backup encryption phrase
  3. Database password
  4. Service password
  5. OS credentials

As Duplicati is supposed to run backups regularly without user intervention, it is difficult to balance the need for security with the need for simplicity.

For protecting the files on the remote store, the files are compressed and encrypted, cutting off attacks on the files.

Once an attacker has access to your system, it is generally “game over”. If your system is running, passwords are in memory somewhere and can be extracted. But there are ways to make this harder.

If Duplicati is not running, the attack vector would be to go after the database. In the current setup, the settings database contains the server url, the server credentials and the encryption passphrase. To mitigate this a little, the SQLite database is scrambled using the RC4 cipher with a default password (and on Windows only). The purpose of this is to make it harder to do string scans of the harddisk, but it is not supported on Linux and it does not add any real security.

Duplicati needs the information in the database to make backups. If the database (or just the sensitive fields) was really encrypted, the user would need to enter the password on startup, making automatic backups impossible.

The plan is to use the OS keychain facilities to store sensitive information, but no progress has been made on this.

For the OP the TrayIcon needs to know the password, otherwise it cannot connect to the server and display the current status. We also have plans to add a “read-only” mode, which would make this a little simpler. We are using this to create a valid session, and pass the session token to the browser if you open Duplicati from the TrayIcon. I can see why it is confusing, but I consider it safe, as anyone that has access to interact with your desktop can do many other nasty things already.

I will also state again, that the webserver running in Duplicati has not been security vetted and I strongly advise against exposing this to the internet (by default it accepts loopback connections only).

Yes, this is a real threat and very hard to fix. Duplicati needs to know the encryption phrase and the remote server login credentials to work.

You can mitigate it by using GPG encryption with public-key encryption, such that the private key is not present on the machine. But since the attacker already has access to all your files on the compromised machine, I am not sure it helps much.

You can also set up the remote destination to refuse delete and overwrite. Duplicati needs the advanced option --no-auto-compact --keep-versions=0 to disable any deletes (overwrites are never done).

This last option will keep you safe even if the machine is taken over by malware that explicitly seeks to destroy backups, at the expense of never releasing space (backups grow infinitely).

5 Likes

In addition to @kenkendk’s reply, I would also add that if a system is breached then the source data is already exposed to a security risk. All users should ensure that the source data is not compromised and this applies to all operating platforms. The security of source data is just and if not more important as the backup data itself.

Yes, really the malware has to have been written specifically to get information from Duplicati, I know that considering the size of Duplicati compared to other players is difficult, does not mean that it is impossible to occur in the future.

I will see the possibility of automating in some way the creation of the ACLs in Windows as you said, since doing manually is not usually something that we sysadmins always remember.

Perfect for your answer, it’s really complicated to even work the ease of automatic backup with the possible problem of data access.

Thank you very much for the explanation, with it in mind I will try to put together a greater security policy on the client side avoiding possible security problems using ACLs and the like.

Have a great weekend.

When I add the --keep-versions option in the GUI, it says to use -1 to keep unlimited versions. Should it be 0 or -1 to disable deletes?

Thanks

1 Like

Duplicati treats “zero or less” as “unlimited” for --keep-versions so both will work the same way.

2 Likes