Backup job sqlite database Configuration.passphrase security question

I use Duplicati on Windows from the command line only. I do not use the GUI / automated scheduler.
I would like to understand the security issues surrounding the passphrase in my usage scenario.

  • Is it possible to recover the passphrase from the contents of the .sqlite Configuration table in the backup job database, or is this a 1-way dataset that can only be used to validate the correct passphrase?
  • When I supply --passphrase=whatever to Duplicati.CommandLine.exe, is the passphrase being cached anywhere on my system?

I read these posts…
Clear text password stored in Duplicati-server.sqlite
About Duplicati Security
Storage of encryption password
“Why don’t I have to re-enter my encryption password?” (post 1769 - I’m on my 3 hyperlink per post limit for new users)

After reading the above, I’m assuming that pure command line usage doesn’t involve Duplicati-server.sqlite at all (?)

Yes, that is correct.

The “Duplicati-server.sqlite” is a database used by the GUI to keep all the configurations. It needs to have both the remote backend password as well as the encryption password. A “motivated” attacker will be able to extract these values from the database.

Using only the commandline, you need to supply the values when running the command, so you can choose a different way of storing these values.

No. The .sqlite database that belongs to a backup (aka local database) is a map of the remote contents. It does not have the encryption key and does not need it. With the database (but not the key), an attacker can see what paths are backed up, what blocks belongs to which files, and what blocks are in what remote files. The blocks are only described by their SHA256 hash, so you cannot recover any content.

However, if an attacker has access to the database, chances are that they can also access the source files, removing the need to mess around with the database.

Edit: there is a salted hash of the passphrase stored in the database. This is used to check if the user changes the passphrase while using --no-backend-verification. This could cause the backend to contain files encrypted with different passphrases, which would then be difficult to restore. This is a one-way function and cannot be reversed without significant computing resources.

It is not persisted anywhere in Duplicati by design.
(Also a reason why Duplicati-server.sqlite needs to store it)

Most shells have a “history” feature that might save it. You can also sometimes see other users commandlines if you are on a multi-user system. To avoid this, you can set the passphrase via the environment variable PASSPHRASE.

Thank you for the thorough reply, that really helps me to understand what’s going on.