You can use special characters as well. I would not use anything outside ASCII range for portability concerns, but you can use extended characters as well. The is no imposed maximum length on the key, but it needs to be in the environment variable (or commandline), so those limits apply depending on your operating system.
The minimum key length is 8 characters.
The key is only used to encrypt the contents of the Duplicati-server.sqlite database file. Inside this database, the backup encryption passphrase and remote storage credentials are stored. Encrypting the database contents ensures that accidental exposure of the database file does not compromise the backup data.
Because Duplicati needs access to the database on startup, the encryption key must be available on each startup, but is not expected to be entered manually during normal operations.