Duplicati cannot read encryption key from Windows Credentials Manager

redusr · February 1, 2026, 4:18pm

This issue might sound quite similar to Duplicati won’t accept server DB encryption key after upgrade to 2.2.0.0_stable but the solution mentioned there seems not to work.

I had duplicati-2.1.0.5_stable_2025-03-04-win-x64-gui running on a machine (Win11 x64) with server DB encryption enabled:

"C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe" --secret-provider=wincred:// --settings-encryption-key=$duplicati-server

In Windows Credential Manager I had an entry with internet or network address: duplicati-server and the DB password in the password field.

I wanted to update Duplicati to duplicati-2.2.0.3_stable_2026-01-06-win-x64-gui and remembered the issue in the linked thread that Duplicati might have used the literal string "duplicati-server” instead of the password associated with that key for DB encryption. So I followed the instructions in the thread and first decrypted the DB:

C:\Windows\System32>"C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe" --settings-encryption-key=$duplicati-server --disable-db-encryption

Then I updated Duplicati using the installer and launched it using following parameters to re-encrypt the DB:

C:\Windows\System32>"C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe" --secret-provider=wincred:// --settings-encryption-key=$duplicati-server

Other then expected, Duplicati crashed, indicating that it does not find a credentials entry with the key duplicati-server:

C:\Windows\System32>Crash!
System.Collections.Generic.KeyNotFoundException: The key 'duplicati-server' was not found
   at Duplicati.Library.SecretProvider.WindowsCredentialManagerProvider.ResolveSecretsAsync(IEnumerable`1 keys, CancellationToken cancellationToken)
   at Duplicati.Library.Main.SecretProviderHelper.SecretProviderCached.ResolveSecretsAsync(IEnumerable`1 keys, CancellationToken cancellationToken)
   at Duplicati.Library.Main.SecretProviderHelper.ReplaceSecretsAsync(ISecretProvider provider, Uri[] realUriArguments, Uri[] internalUriArguments, Dictionary`2 options, String matchpattern, CancellationToken cancelToken)
   at Duplicati.Library.Main.SecretProviderHelper.ApplySecretProviderAsync(Uri[] realUriArguments, Uri[] internalUriArguments, Dictionary`2 options, String persistedFolder, ISecretProvider fallbackProvider, CancellationToken cancellationToken)
   at Duplicati.Library.Utility.Utility.Await[T](Task`1 task)
   at Duplicati.GUI.TrayIcon.Program.Main(String[] _args)
   at Duplicati.GUI.TrayIcon.Net8.Program.<>c__DisplayClass0_0.<Main>b__0()
   at Duplicati.Library.Crashlog.CrashlogHelper.WrapWithCrashLog[T](Func`1 method)
Unhandled exception. System.Collections.Generic.KeyNotFoundException: The key 'duplicati-server' was not found
   at Duplicati.Library.SecretProvider.WindowsCredentialManagerProvider.ResolveSecretsAsync(IEnumerable`1 keys, CancellationToken cancellationToken)
   at Duplicati.Library.Main.SecretProviderHelper.SecretProviderCached.ResolveSecretsAsync(IEnumerable`1 keys, CancellationToken cancellationToken)
   at Duplicati.Library.Main.SecretProviderHelper.ReplaceSecretsAsync(ISecretProvider provider, Uri[] realUriArguments, Uri[] internalUriArguments, Dictionary`2 options, String matchpattern, CancellationToken cancelToken)
   at Duplicati.Library.Main.SecretProviderHelper.ApplySecretProviderAsync(Uri[] realUriArguments, Uri[] internalUriArguments, Dictionary`2 options, String persistedFolder, ISecretProvider fallbackProvider, CancellationToken cancellationToken)
   at Duplicati.Library.Utility.Utility.Await[T](Task`1 task)
   at Duplicati.GUI.TrayIcon.Program.Main(String[] _args)
   at Duplicati.GUI.TrayIcon.Net8.Program.<>c__DisplayClass0_0.<Main>b__0()
   at Duplicati.Library.Crashlog.CrashlogHelper.WrapWithCrashLog[T](Func`1 method)
   at Duplicati.GUI.TrayIcon.Net8.Program.Main(String[] args)

This is what Duplicati.CommandLine.SecretTool.exe reports when testing the credentials use:

C:\Program Files\Duplicati 2>Duplicati.CommandLine.SecretTool.exe test wincred:// duplicati-server
Exception: System.Collections.Generic.KeyNotFoundException: The key 'duplicati-server' was not found
   at Duplicati.Library.SecretProvider.WindowsCredentialManagerProvider.ResolveSecretsAsync(IEnumerable`1 keys, CancellationToken cancellationToken)
   at Duplicati.CommandLine.SecretTool.Program.RunTest(String secretUrl, String[] secrets)
   at System.CommandLine.NamingConventionBinder.CommandHandler.GetExitCodeAsync(Object returnValue, InvocationContext context)
   at System.CommandLine.NamingConventionBinder.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
   at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass17_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass12_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseVersionOption>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass19_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__18_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__5_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass8_0.<<UseExceptionHandler>b__0>d.MoveNext()

Remembering the issues with characters such as - in the key name I added a second entry in Windows Credentials Manager without that character: duplicatiserver

However, the Duplicati.CommandLine.SecretTool.exe also does not find that entry:

C:\Program Files\Duplicati 2>Duplicati.CommandLine.SecretTool.exe test wincred:// duplicatiserver
Exception: System.Collections.Generic.KeyNotFoundException: The key 'duplicatiserver' was not found
   at Duplicati.Library.SecretProvider.WindowsCredentialManagerProvider.ResolveSecretsAsync(IEnumerable`1 keys, CancellationToken cancellationToken)
   at Duplicati.CommandLine.SecretTool.Program.RunTest(String secretUrl, String[] secrets)
   at System.CommandLine.NamingConventionBinder.CommandHandler.GetExitCodeAsync(Object returnValue, InvocationContext context)
   at System.CommandLine.NamingConventionBinder.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
   at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass17_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass12_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseVersionOption>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass19_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__18_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__5_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass8_0.<<UseExceptionHandler>b__0>d.MoveNext()

I think that I had used Duplicati.CommandLine.SecretTool.exe also in 2.1.0.5 and not encountered that error but is has been a long time since then, so I am not 100% sure. I thought I might verify that by downloading the duplicati-2.1.0.5_stable_2025-03-04-win-x64-gui.zip and running its Duplicati.CommandLine.SecretTool.exewithout installing it but it seems it can not run without installing, indicating a compatibility problem:

C:\Users\user\Downloads\duplicati-2.1.0.5_stable_2025-03-04-win-x64-gui>Duplicati.CommandLine.SecretTool.exe test wincred:// duplicati-server
Die Version von C:\Windows\system32\Duplicati.CommandLine.SecretTool.exe ist mit der ausgeführten Windows-Version nicht kompatibel. Überprüfen Sie die Systeminformationen des Computers, und wenden Sie sich anschließend an den Herausgeber der Software.

I still can launch Duplicati 2.2.0.3 if I omit the command line arguments but (as expected) it warns me that the server DB is currently unencrypted.

What could be preventing Duplicati 2.2.0.3 from successfully reading the server DB encryption password from Windows Credentials Manager?

redusr · February 16, 2026, 2:16pm

Unfortunately I am still unable to fix this issue.

I tried to rule out some more potential causes:

Issues with characters in the key name or password phrase: I created an entry with internet or network address asdf and password asdf and tested it with the Duplicati.CommandLine.SecretTool.exe . It still reports a KeyNotFoundException.
Issues with the way Duplicati retrieves the entry: I used cmdkey.exe to retrieve the entries with the commands cmdkey.exe /list:duplicati-server / cmdkey.exe /list:duplicatiserver (the tool does not actually read the credentials but can query the entries). The tool found the entries and they are also included when I retrieve all entries with the generic cmdkey.exe /list command.

From my tests I conclude that there might be a specific issue in the way Duplicati retrieves the credentials. Interestingly, I do not encounter the issue on a second machine with the same duplicati release (also on Win11 x64), so maybe it is dependent on the version of dependent libraries or on specific Windows Updates?

Another idea could be a privileges error that causes hiding the entries but as I have started the commands from an elevated command line this also seems unlikely (and on the machine on which the issue did not occur, the Duplicati.CommandLine.SecretTool.exe seems also to work in a non-elevated command line).

As I am running out of ideas on how to proceed my investigations for the cause, I am thankful for suggestions what else I can try to reveal further insights in the issue’s cause or to fix it.

kenkendk · February 23, 2026, 10:56am

That sounds very strange. Could this be because you need to unblock the zip before running?

My best guess would be that it looks at a different user context? If you run Duplicati as Administrator or similar, then Duplicati will look in that users passwords.

I can suggest trying the latest canary build, as we updated the secret tool to also support writing secrets. You can use this to set the secret, but also to try to figure out where Duplicati is looking for the secrets.

redusr · February 24, 2026, 10:54am

Thanks for your help, problem solved! Details see below…

Excellent guess. Duplicati runs with Administrator privileges authorized by another Admin account.

I researched a little how to insert the credentials into Windows Credential Manager for that account, here are my results:

Start cmd.exe as Admin using the same account whose Admin rights are used to start Duplicati.
Add a key: %windir%\system32\cmdkey.exe /generic:duplicatiserver /user:duplicati-dummy /pass
Note: You will be asked for the password to be stored afterwards. You can also enter the passphrase directly by extending the last parameter in this fashion: /pass:mypassword. Just be sure that the password does not contain characters that might be interpreted by cmd.exe.
Also note that the /generic parameter (not /add) seems to be required for Duplicati to be able to read the credentials.
To check whether the credentials have been added successfully, type: %windir%\system32\cmdkey.exe /list:duplicatiserver and you should see the entry in the output.
To delete the credentials, use: %windir%\system32\cmdkey.exe /delete:duplicatiserver

Hope that helps anyone who came across similar issues.

I think I unzipped the whole folder and then tried to run the command if this is what you mean.

kenkendk · February 25, 2026, 11:54am

If you unzip a file you downloaded, Windows will put the “Unsafe” marker on all files from the zip file and prevent them from executing. You need to right click the zip file, then choose “Properties” and then click “Unblock” before you extract the files.