Am I correct that this is still an issue?
Problem: A person who compromises a computer can obtain access to the remote backup site as well (either through the plain text password or through predefined ssh public/private keys).
Vector #1: The attacker just opens up Duplicati’s sqlite DB, and finds a password for a remote server, and then uses that to log into the server as well
Vector #2: The attacker sees that public/private ssh keys are used, so the attacker uses that to log into the remote sever. If the private key has a password attached to it, the attacker finds the password through the sqlite DB
Looking at a past thread: Clear text password stored in Duplicati-server.sqlite
It seems one approach was making headway: https://github.com/duplicati/duplicati/issues/2024
Is there a better approach/mechanism for this security problem?