Welcome to the forum @jby96032
is not related to
seems to be true for the user interface password. Commonly a salted hash tests user password entry.
Life is different when the passphrase (not just hash) must be used, e.g. for encryption and decryption.
There’s a similar need to obtain actual credentials when talking to a remote service for authentication.
On Windows, the entire settings database is encrypted with (weak) encryption and a default fixed key.
This is enough to stop simple scanners. On Linux, I think the SQLite library usually lacks this ability…
Which tool can open encrypted DB has some info, and shows that it’s a bit hard to read Windows DB.
Mine is geared towards reading (because I sometimes debug), so I option to –unencrypted-database.
One person used a VeraCrypt volume. Ultimately an attacker on-system can probably read password. Because Duplicati has to use it, an attacker with a debugger can grab it at the point of its internal use.
It’s kind of a matter of how easy or hard we make it on attackers. There is an open Issue in the queue.
Meanwhile Windows helps, and OS access control helps, especially if Duplicati is set up as a Service.