To clarify, my “password reuse” point meant for different needs or sites, allowing more risk if it gets taken.
Companies that produce software to manage passwords like to point this out, but I think the risk is real…
52% of users reuse their passwords
Password Reuse Abounds, New Survey Shows
They don’t have to be stored in plain text, but they need to be convertible to that. As stored, Windows gets an obfuscated (weakly encrypted with fixed password) database unless you use --unencrypted-database. About Duplicati Security describes this. It’s a small hurdle. Ultimately a skilled attacker can get credentials unless something else stops them (such as running Duplicati as root and hoping they don’t get that far…).
The encryption suggestion was for the client system to limit credential theft, e.g. if the system gets stolen. Unfortunately I couldn’t quickly see anything for Linux like Windows EFS at a folder level, which was how I thought possibly you could get benefits similar to the Linux keychain on Windows Professional and above. Linux seems to have full drive encryption solutions. I think the issue with most of these is access controls after unlock. If you get access, an attacker who’s indistinguishable from you will probably also get access.
Security is hard, but perhaps somebody will think of small hurdles for Linux to make attacks a little harder.