You see the sftp login password. Duplicati needs to know the real password (to authenticate with the server) so we cannot store a hashed version. The login password is hashed and salted, thus not stored in clear (we only need to verify it on login).
We have discussed various encryption tricks, but it really boils down to having the decryption key present on the same system as the encrypted data, which adds very little actual security.
My plan is to integrate with the OS keychain, and let that guard the passphrases.