Basic (hopefully not too stupid) question: what’s the point / benefit of encrypting the DB?
Of course, I do understand the importance of encrypting sensitive information (such as the backup’s encryption passphrase), but if anyway you will have to store the DB decryption password somewhere in plain text (whether it’s a shortcut with –-settings-encryption-key parameter, or a preload.json file, or the SETTINGS_ENCRYPTION_KEY environment variable).
So, considering that whoever gained access your duplicati DB, can equally access the encryption password in the shortcut, json file, or environment variable, what’s the point of encrypting the DB?
It really depends on your setup and security policy.
If you store backups remotely and/or encrypt those backups, Duplicati needs to handle secrets (credentials, encryption passphrase, etc). These secrets are stored in the database, and if the database is not encrypted, these values can be accessed on the machine.
If your machine gets compromised, attackers may be able to read the database and extract the credentials and access/destroy the backups. If you include the database in (unencrypted) backups, it is also possible that the database is accessible outside the machine.
Security is always about layers. Protecting the database with a password adds an extra layer where an attacker needs to get one more value, protecting against accidental leaks of the database.
You can also consider using the secret provider which further shields the passphrase. But since Duplicati will need the password on the machine unattended, it is also “just another layer”.