Another newbie question: How do I encrypt the database?
There are a few way to do this, and they are described here:
https://docs.duplicati.com/detailed-descriptions/the-server-database#securing-the-database
If the descriptions are not clear enough, let me know, and I will add more examples.
Thank you! I’ve bookmarked “Duplicati Documentation” this time!
Me again, sorry. I did read the relevant section of the documentation — more than once — but am still stuck. For instance:
To supply the field-level encryption password, start the Server, TrayIcon, or Agent with the commandline option
--settings-encryption-key=<key>
.
I start the server by double-clicking on an icon, so I don’t know how to add a commandline option. I do know how to access the commandline once Duplicati has started, but then where would I type --settings-encryption-key=<key>
? In the commandline argument box? And what would the command itself be? And is <key>
to be replaced by our choice of password/key?
If you don’t have time to help me further (you’ve already helped me a lot), just forget it; my laptop never leaves my room anyway, so I probably don’t need the additional safety of an encrypted database.
The easiest way is to create a shortcut to that file.
Just right click somewhere and create a shortcut to the server executable.
Then edit the shortcut and add the commandline option to the shortcut arguments.
(If the icon you are double-clicking is already a shortcut, just edit that)
Now, when you start it, use the shortcut instead of the executable.
Should it look like this?
"C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe" --settings-encryption-key=<key>
Yes, that looks correct. You can look in the logs and see if it still emits a warning when it starts. If there is no warning, the database is now encrypted.
When I use the modified shortcut, Duplicati doesn’t open. When I remove --settings-encryption-key=<key>
, it opens again, and there’s no warning. The interface has changed, though, is that normal?
Before, the shortcut opened http://localhost:8200/ngax/index.html#/
and the interface looked like this:
Now, the shortcut opens http://localhost:8200/ngclient/
and the interface looks like this:
[Edit:] Oh, I see there’s the option to “Revert to NGAX client.” So yes, it’s a new interface, but with the option to return to the “old” one.
That suggests to me that the encryption key is somehow wrong.
You can try running it on the commandline to see error messages. Press WIN+R then type “cmd” and press enter. Then paste or type:
"C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe" --settings-encryption-key=<key>
And press enter, and you should see the error message. Hopefully this will move you closer to figuring out what password is actually being used to encrypt the settings.
Yes, we are in the process of building a new user interface. There are still some issues with it, so you may want to click the “Revert to NGAX client” link in the left side. If you do stay on ngclient, make sure to log any issues that you see, so we can fix them.
Replace <key>
with an encryption key.
Yeah. Kinda obvious, uh? OK, I did that, I replaced
<key>
in the shortcut by a randomly generated key. Duplicati started. If I try to do the same thing again through cmd, I get what’s below (the big chunk of quoted text), but it may be normal if the tweaked shortcut already encrypted the database. However, the “does not match current key” is weird, since I just copy-pasted the key. Let’s say my key is Tmd5T2RH!@#
, then my shortcut and cmd command both look like this:
"C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe" --settings-encryption-key=Tmd5T2RH!@#
C:>Crash!
Duplicati.Library.Interface.UserInformationException: Server crashed on startup
—> System.Exception: A serious error occurred in Duplicati: Duplicati.Library.Interface.SettingsEncryptionKeyMismatchException: Encryption key used to encrypt target settings does not match current key.
at Duplicati.Library.Encryption.EncryptedFieldHelper.Decrypt(String value, KeyInstance key)
at Duplicati.Server.Database.Connection.DecryptSensitiveFields(String fieldValue, KeyInstance key)
at Duplicati.Server.Database.Connection.b__29_0(IDataReader rd)
at Duplicati.Server.Database.Connection.Read[T](IDbCommand cmd, Func2 f)+MoveNext() at System.Collections.Generic.LargeArrayBuilder
1.AddRange(IEnumerable1 items) at System.Collections.Generic.EnumerableHelpers.ToArray[T](IEnumerable
1 source)
at Duplicati.Server.Database.Connection.ReadFromDb[T](Func2 f, String sql, Object[] args) at Duplicati.Server.Database.Connection.GetSettings(Int64 id) at Duplicati.Server.Database.ServerSettings.ReloadSettings() at Duplicati.Server.Database.ServerSettings..ctor(Connection con) at Duplicati.Server.Database.Connection..ctor(IDbConnection connection, Boolean disableFieldEncryption, KeyInstance key) at Duplicati.Server.Program.GetDatabaseConnection(Dictionary
2 commandlineOptions, Boolean silentConsole)
at Duplicati.Server.Program.Main(String _args)
—> Duplicati.Library.Interface.SettingsEncryptionKeyMismatchException: Encryption key used to encrypt target settings does not match current key.
at Duplicati.Library.Encryption.EncryptedFieldHelper.Decrypt(String value, KeyInstance key)
at Duplicati.Server.Database.Connection.DecryptSensitiveFields(String fieldValue, KeyInstance key)
at Duplicati.Server.Database.Connection.b__29_0(IDataReader rd)
at Duplicati.Server.Database.Connection.Read[T](IDbCommand cmd, Func2 f)+MoveNext() at System.Collections.Generic.LargeArrayBuilder
1.AddRange(IEnumerable1 items) at System.Collections.Generic.EnumerableHelpers.ToArray[T](IEnumerable
1 source)
at Duplicati.Server.Database.Connection.ReadFromDb[T](Func2 f, String sql, Object[] args) at Duplicati.Server.Database.Connection.GetSettings(Int64 id) at Duplicati.Server.Database.ServerSettings.ReloadSettings() at Duplicati.Server.Database.ServerSettings..ctor(Connection con) at Duplicati.Server.Database.Connection..ctor(IDbConnection connection, Boolean disableFieldEncryption, KeyInstance key) at Duplicati.Server.Program.GetDatabaseConnection(Dictionary
2 commandlineOptions, Boolean silentConsole)
at Duplicati.Server.Program.Main(String _args)
— End of inner exception stack trace —
at Duplicati.Server.Program.Main(String _args)
at Duplicati.GUI.TrayIcon.HostedInstanceKeeper.<>c__DisplayClass3_0.<.ctor>b__0(Object _)
— End of inner exception stack trace —
at Duplicati.GUI.TrayIcon.HostedInstanceKeeper..ctor(String args)
at Duplicati.GUI.TrayIcon.Program.Main(String _args)
at Duplicati.GUI.TrayIcon.Net8.Program.<>c__DisplayClass0_0.b__0()
at Duplicati.Library.Crashlog.CrashlogHelper.WrapWithCrashLog[T](Func1 method) Unhandled exception. Duplicati.Library.Interface.UserInformationException: Server crashed on startup ---> System.Exception: A serious error occurred in Duplicati: Duplicati.Library.Interface.SettingsEncryptionKeyMismatchException: Encryption key used to encrypt target settings does not match current key. at Duplicati.Library.Encryption.EncryptedFieldHelper.Decrypt(String value, KeyInstance key) at Duplicati.Server.Database.Connection.DecryptSensitiveFields(String fieldValue, KeyInstance key) at Duplicati.Server.Database.Connection.<GetSettings>b__29_0(IDataReader rd) at Duplicati.Server.Database.Connection.Read[T](IDbCommand cmd, Func
2 f)+MoveNext()
at System.Collections.Generic.LargeArrayBuilder1.AddRange(IEnumerable
1 items)
at System.Collections.Generic.EnumerableHelpers.ToArray[T](IEnumerable1 source) at Duplicati.Server.Database.Connection.ReadFromDb[T](Func
2 f, String sql, Object args)
at Duplicati.Server.Database.Connection.GetSettings(Int64 id)
at Duplicati.Server.Database.ServerSettings.ReloadSettings()
at Duplicati.Server.Database.ServerSettings..ctor(Connection con)
at Duplicati.Server.Database.Connection..ctor(IDbConnection connection, Boolean disableFieldEncryption, KeyInstance key)
at Duplicati.Server.Program.GetDatabaseConnection(Dictionary2 commandlineOptions, Boolean silentConsole) at Duplicati.Server.Program.Main(String[] _args) ---> Duplicati.Library.Interface.SettingsEncryptionKeyMismatchException: Encryption key used to encrypt target settings does not match current key. at Duplicati.Library.Encryption.EncryptedFieldHelper.Decrypt(String value, KeyInstance key) at Duplicati.Server.Database.Connection.DecryptSensitiveFields(String fieldValue, KeyInstance key) at Duplicati.Server.Database.Connection.<GetSettings>b__29_0(IDataReader rd) at Duplicati.Server.Database.Connection.Read[T](IDbCommand cmd, Func
2 f)+MoveNext()
at System.Collections.Generic.LargeArrayBuilder1.AddRange(IEnumerable
1 items)
at System.Collections.Generic.EnumerableHelpers.ToArray[T](IEnumerable1 source) at Duplicati.Server.Database.Connection.ReadFromDb[T](Func
2 f, String sql, Object args)
at Duplicati.Server.Database.Connection.GetSettings(Int64 id)
at Duplicati.Server.Database.ServerSettings.ReloadSettings()
at Duplicati.Server.Database.ServerSettings..ctor(Connection con)
at Duplicati.Server.Database.Connection..ctor(IDbConnection connection, Boolean disableFieldEncryption, KeyInstance key)
at Duplicati.Server.Program.GetDatabaseConnection(Dictionary2 commandlineOptions, Boolean silentConsole) at Duplicati.Server.Program.Main(String[] _args) --- End of inner exception stack trace --- at Duplicati.Server.Program.Main(String[] _args) at Duplicati.GUI.TrayIcon.HostedInstanceKeeper.<>c__DisplayClass3_0.<.ctor>b__0(Object _) --- End of inner exception stack trace --- at Duplicati.GUI.TrayIcon.HostedInstanceKeeper..ctor(String[] args) at Duplicati.GUI.TrayIcon.Program.Main(String[] _args) at Duplicati.GUI.TrayIcon.Net8.Program.<>c__DisplayClass0_0.<Main>b__0() at Duplicati.Library.Crashlog.CrashlogHelper.WrapWithCrashLog[T](Func
1 method)
at Duplicati.GUI.TrayIcon.Net8.Program.Main(String args)
You can test that theory by double quoting the key to keep cmd.exe from tripping over things like perceived redirection attempts from angle brackets, so you’d test:
C:\Program Files\Duplicati 2\Duplicati.GUI.TrayIcon.exe" --settings-encryption-key="<key>"
What I get, when I do that, is this:
Server has started and is listening on localhost, port 8200
Duplicati has indeed started.
I also have this question (same as the OP), and I have read the documentation, but I do not understand at all. Can you explain step-by-step how to do this? TIA
Please describe your OS and installaton (TrayIcon, WindowsService, Docker, etc.).
I’m using Pop_OS! 22.04 (Ubuntu) and I installed Duplicati using the *.deb file (version 2.1.0.112).
How are you starting it? You might have a systemd
service running as root that you browse to manually. You might type or config duplicati
for tray icon to use as you, including convenient (except it’s broken in 2.1.0.5) ability to Open Duplicati without a password having to ever be set. If you’re browsing manually, you need a password.
It is started as a program under the Startup Applications Preferences; a single command sent to the CLI duplicati
Are you saying that I should have set a password to start the program? I don’t recall being prompted for that - although I may have forgotten.
Unlike the GUI password (which can sometimes prompt you), DB encryption just warns, giving a button to get to a help page which I’ll try to interpret. The CLI warning is simply:
No database encryption key was found. The database will be stored unencrypted. Supply an encryption key via the environment variable SETTINGS_ENCRYPTION_KEY or disable database encryption with the option --disable-db-encryption
which is less alarming than GUI popup, and summarizes the ways to stop the warning.
Are you able to set options on command? If so, you can set --disable-db-encryption
.
If you can’t, or you want some more security, the manual suggests you can do it like this:
The simplest way to apply an encryption key, is to locate the server database, and create the file
preload.json
if it does not already exist. The file should contain the following
(see manual, and remember to replace all of <key>
with your choice for the key)
The default location when running Duplicati on Linux is
~/.config/Duplicati
.
but you can also check this on your job’s Database
screen. It’s likely in that folder.
If you encrypt the database, don’t lose its key, or job configuration must be redone.