Clear text password stored in Duplicati-server.sqlite

kenkendk · June 26, 2018, 6:44am

True. The RC4 scrambling feature is only available in the Windows version.

Yes, the default password is Duplicati_Key_42:

duplicati/duplicati/blob/master/Duplicati/Server/Program.cs#L517


      
              // Setup the log redirect

              Library.Logging.Log.StartScope(LogHandler, null);

          

              if (commandlineOptions.ContainsKey("log-file"))

              {

                  var loglevel = Library.Logging.LogMessageType.Error;

          

                  if (commandlineOptions.ContainsKey("log-level"))

                      Enum.TryParse(commandlineOptions["log-level"], true, out loglevel);

          

                  LogHandler.SetServerFile(commandlineOptions["log-file"], loglevel);

              }

          }

          

          private static int ShowHelp(bool writeConsole)

          {

              if (writeConsole)

              {

                  Console.WriteLine(Strings.Program.HelpDisplayDialog);

          

                  foreach (Library.Interface.ICommandLineArgument arg in SupportedCommands)

Yes, that was the idea with the RC4 encryption. It is not strong, and has a known password, but at least you cannot do string scanning on the harddisk to find the contents.

I am not aware of any plug-n-play solutions for Linux, so we would need to identify all the ways and places a password can be stored, and then handle each field with manual obfuscation/de-obfuscation.

Since the same work is required for the keychain integration, I think it would make sense to have a “fallback keychain”, that is an internal Duplicati keychain with a known password (similar to how the RC4 stuff works on Windows). We can implement this first, and then it should be easier to “plug-in” the real keychain implementations later.