Duplicati won't accept server DB encryption key after upgrade to 2.2.0.0_stable

redusr · November 5, 2025, 3:21pm

I use Duplicati with a server DB encryption key setup with Windows Credentials Manager on a Win11x64 machine.

This has worked well with 2.1.0.5_stable_2025-03-04 but after upgrading to 2.2.0.0_stable_2025-10-23 today, the key seems not to be accepted anymore. That is, when starting the Duplicati.GUI.TrayIcon.exe , it crashes immediately and following error message is logged:

Application: Duplicati.GUI.TrayIcon.exe
CoreCLR Version: 8.0.2025.41914
.NET Version: 8.0.20
Description: The process was terminated due to an unhandled exception.
Exception Info: Duplicati.Library.Interface.UserInformationException: Server crashed on startup
 ---> System.Exception: A serious error occurred in Duplicati: Duplicati.Library.Interface.SettingsEncryptionKeyMismatchException: Encryption key used to encrypt target settings does not match current key.
   at Duplicati.Library.Encryption.EncryptedFieldHelper.Decrypt(String value, KeyInstance key)
   at Duplicati.Server.Database.Connection.DecryptSensitiveFields(String fieldValue, KeyInstance key)
   at Duplicati.Server.Database.Connection.<>c__DisplayClass37_0.<GetSettings>b__0(IDataReader rd)
   at Duplicati.Server.Database.Connection.Read[T](IDbCommand cmd, Func`2 f)+MoveNext()
   at System.Collections.Generic.LargeArrayBuilder`1.AddRange(IEnumerable`1 items)
   at System.Collections.Generic.EnumerableHelpers.ToArray[T](IEnumerable`1 source)
   at Duplicati.Server.Database.Connection.ReadFromDb[T](Func`2 f, Action`1 prep)
   at Duplicati.Server.Database.Connection.GetSettings(Int64 id)
   at Duplicati.Server.Database.ServerSettings.ReloadSettings()
   at Duplicati.Server.Database.ServerSettings..ctor(Connection con, Action startOrStopUsageReporter)
   at Duplicati.Server.Database.Connection..ctor(IDbConnection connection, Boolean disableFieldEncryption, KeyInstance key, String dataFolder, Action startOrStopUsageReporter)
   at Duplicati.Server.Program.GetDatabaseConnection(IApplicationSettings applicationSettings, Dictionary`2 commandlineOptions, Boolean silentConsole, Boolean changeDbEncryption)
   at Duplicati.Server.Program.Main(IApplicationSettings applicationSettings, String[] _args)
 ---> Duplicati.Library.Interface.SettingsEncryptionKeyMismatchException: Encryption key used to encrypt target settings does not match current key.
   at Duplicati.Library.Encryption.EncryptedFieldHelper.Decrypt(String value, KeyInstance key)
   at Duplicati.Server.Database.Connection.DecryptSensitiveFields(String fieldValue, KeyInstance key)
   at Duplicati.Server.Database.Connection.<>c__DisplayClass37_0.<GetSettings>b__0(IDataReader rd)
   at Duplicati.Server.Database.Connection.Read[T](IDbCommand cmd, Func`2 f)+MoveNext()
   at System.Collections.Generic.LargeArrayBuilder`1.AddRange(IEnumerable`1 items)
   at System.Collections.Generic.EnumerableHelpers.ToArray[T](IEnumerable`1 source)
   at Duplicati.Server.Database.Connection.ReadFromDb[T](Func`2 f, Action`1 prep)
   at Duplicati.Server.Database.Connection.GetSettings(Int64 id)
   at Duplicati.Server.Database.ServerSettings.ReloadSettings()
   at Duplicati.Server.Database.ServerSettings..ctor(Connection con, Action startOrStopUsageReporter)
   at Duplicati.Server.Database.Connection..ctor(IDbConnection connection, Boolean disableFieldEncryption, KeyInstance key, String dataFolder, Action startOrStopUsageReporter)
   at Duplicati.Server.Program.GetDatabaseConnection(IApplicationSettings applicationSettings, Dictionary`2 commandlineOptions, Boolean silentConsole, Boolean changeDbEncryption)
   at Duplicati.Server.Program.Main(IApplicationSettings applicationSettings, String[] _args)
   --- End of inner exception stack trace ---
   at Duplicati.Server.Program.Main(IApplicationSettings applicationSettings, String[] _args)
   at Duplicati.GUI.TrayIcon.HostedInstanceKeeper.<>c__DisplayClass5_0.<.ctor>b__0(Object _)
   --- End of inner exception stack trace ---
   at Duplicati.GUI.TrayIcon.HostedInstanceKeeper..ctor(IApplicationSettings applicationSettings, String[] args)
   at Duplicati.GUI.TrayIcon.Program.Main(String[] _args)
   at Duplicati.GUI.TrayIcon.Net8.Program.<>c__DisplayClass0_0.<Main>b__0()
   at Duplicati.Library.Crashlog.CrashlogHelper.WrapWithCrashLog[T](Func`1 method)
   at Duplicati.GUI.TrayIcon.Net8.Program.Main(String[] args)

The command-line test is still successful anyways:

C:\Program Files\Duplicati 2>Duplicati.CommandLine.SecretTool.exe test wincred:// duplicati-server
NOTE: Secret values are not displayed for security reasons
Secrets:
- duplicati-server: Found!

I looked for similar posts in the forum and voila - there was one promising similarity in a thread I had started months ago:

I wouldn’t have expected such a behavior change from 2.1.0.5_stable_2025-03-04 to 2.2.0.0_stable_2025-10-23 but adjusted my setup:

I changed the entry in Windows Credential Manager from duplicati-server to duplicatiserver
I modified the command-line parameters from “C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe” --secret-provider=wincred:// --settings-encryption-key=$duplicati-server to “C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe” --secret-provider=wincred:// --settings-encryption-key=$duplicatiserver

The command-line test is successful:

C:\Program Files\Duplicati 2>Duplicati.CommandLine.SecretTool.exe test wincred:// duplicatiserver
NOTE: Secret values are not displayed for security reasons
Secrets:
- duplicatiserver: Found!

But Duplicati still crashes with the same error message, meaning I cannot use it at all.

Did I miss updating any required property after upgrade?

kenkendk · November 5, 2025, 5:46pm

No special action should be needed.

What I think is the issue is that 2.1.0.5 could not detect the $duplicati-server as a token, so it used it literal, and now that it does get parsed, nothing works.

If I am correct, you should be able to decrypt, and then re-encrypt.

Decrypt

C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe” --settings-encryption-key=$duplicati-server --disable-db-encryption

This should start up correctly, and now the database is decrypted.

Stop Duplicati, then start it with the right key:

“C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe” --secret-provider=wincred:// --settings-encryption-key=$duplicati-server

Duplicati should now encrypt the database using the correct key.

redusr · November 6, 2025, 12:31pm

Looks like you were right, I followed your instructions and everything is working now. Thanks for your help!

The only thing I do not really understand is the command-line behavior when starting the server from there. I usually have a desktop shortcut with the additional parameters, so I never see the command-line interface. When I had done the Decrypt-step of your instructions in command-line, I quit Duplicati using the Tray Icon (not with CTRL+C in the command-line) to be safe that it does not exit before finishing the decryption. I would have expected the command-line to reflect the process stop but after Duplicati.GUI.TrayIcon.exe disappeared from Task Manager processes, the command-line looked still busy:

I don’t know whether that is Duplicati-specific and it seems like it did not harm anything, just wanted to let you know because the behavior was confusing me.

kenkendk · November 7, 2025, 3:02pm

This is a Windows quirk. For Windows, it has different types of executables.
Executables that show a UI will be launched and then return to the commandline, unlike other commands who will remain running and then only return to the commandline once they are done.

The TrayIcon shows a UI (even though it is small) so it has to be a UI executable, otherwise Windows will show a commandline window every time you launch it.

What we have done with the TrayIcon is attach the output to the console that launches it (when possible) so you can see the output, but it looks quite weird.