Clear text password stored in Duplicati-server.sqlite

True. The RC4 scrambling feature is only available in the Windows version.

Yes, the default password is Duplicati_Key_42:

Yes, that was the idea with the RC4 encryption. It is not strong, and has a known password, but at least you cannot do string scanning on the harddisk to find the contents.

I am not aware of any plug-n-play solutions for Linux, so we would need to identify all the ways and places a password can be stored, and then handle each field with manual obfuscation/de-obfuscation.

Since the same work is required for the keychain integration, I think it would make sense to have a “fallback keychain”, that is an internal Duplicati keychain with a known password (similar to how the RC4 stuff works on Windows). We can implement this first, and then it should be easier to “plug-in” the real keychain implementations later.

3 Likes