Encrypting the database

Support
21

This is the part that I don’t understand:
(see manual, and remember to replace all of key with your choice for the key)
Where (or how) do I generate the key?

22

Despite the term “key”, I think (certainly hope so – maybe dev can confirm) that this is a password/passphrase that you just choose per usual advice to reduce guessing attacks.

Possibly the terminology is a holdover from an earlier design intent which had to change:

Regardless, typical encryption methods do need a key, but they make it from user input.

Key derivation function (Wikipedia)

In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase

So your job is to pick a reasonable secret, and let Duplicati use it to make an internal key.

23

Okay, so I put that file in and then I get this:

$ duplicati
The database appears to be encrypted, but no key was specified. Opening the database will likely fail. Use the environment variable SETTINGS_ENCRYPTION_KEY to specify the key.
No database encryption key was found. The database will be stored unencrypted. Supply an encryption key via the environment variable SETTINGS_ENCRYPTION_KEY or disable database encryption with the option --disable-db-encryption

Use the environment variable SETTINGS_ENCRYPTION_KEY to specify the key.

Where & how do I do this?

24

How To Read and Set Environmental and Shell Variables on Linux is a general tutorial.

If you use the bash shell, you can just say:

SETTINGS_ENCRYPTION_KEY=<key> duplicati (replacing <key> with your passphrase)

If you don’t use the bash shell, you might need to put the word env in front of that line.

You can also ignore the rather brief message directions and do:

duplicati --settings-encryption-key=<key> as shown in the built-in help command:

--settings-encryption-key: Use this option to set the encryption key for the settings database. This option can also be set with the environment variable SETTINGS_ENCRYPTION_KEY.

Easiest is to use ~/.config/Duplicati/preload.json file. Did you? Can you read it?

25

For the config file preload.json, it’s unclear to me what the EXACT format is…

Do I put Quotes around the passphrase, or brackets? Or nothing?

26

I just simply do not understand and I’ve been using LINUX for 20 years.

Please explain it to me like I’m five years old.

What passphrase? I never set one.

Where does it go?

I’ve made the perload.json file, but it’s not being read.

Do I replace the less-than-sign-KEY-greather-than-sign with a passphrase/password?
Do I use quotes?

If so, when and how does the database get encrypted?

Like I said, the documentation around this is atrocious and nonsensical.

27

Okay, got it working.

What did not work: The preload.json file did not work.

What did work: Under StartUp programs

env SETTINGS_ENCRYPTION_KEY="password" duplicati

Where password is a proper password.

28

Securing the database

image
image761×240 6.7 KB

is me suggesting replacing those five letters with your chosen password/passphrase.

If you do that, it keeps the quotes that are now around <key>. Other ways may exist.

OK, I see it’s getting worse. Next round.

You pick one, just like for any password/passphrase. Duplicati is asking you to set it.

In a file ~/.config/Duplicati/preload.json, using the template from the manual.
Where it shows <key>, replace that with your password.

ls -lu ~/.config/Duplicati/preload.json at duplicati start should be recent time.
If so, it’s being read, but there might be a problem inside.

Yes. Use of angle bracket with description inside is common in computer documentation.

what does angle brackets mean in documentation? [duplicate]

Sometimes documentation uses italics or similar, but sometimes one has only basic text.

There is similar confusion possible in documentation about how to interpret quote marks.

In file docs, one sees angle brackets inside double quotes. One person typed too literally.

IMO it would be helpful (though maybe repeated) to say what to do with a given template.

You can leave existing the quotes that are already there.

When you start Duplicati.

You can do the ls -lu, and check the format of the file. If you like, post the whole thing with you password replaced with REDACTED and everything else left exactly as there.

All works for me, although this is my first use on Linux, so I’m not the ultimately authority.

1 Like
29

The word “key” is somewhat arbitrary and can be replaced with on of the words: password/passphrase/secret/random-string.

I try to keep consistent terminology to avoid confusing even more:

  • Passphrase: the encryption passphrase (not using the word “password” here, as it should be longer than a password)
  • Encryption key: the password or secret used to encrypt database fields
  • Access password: the password required to access the user interface
  • Credentials: information required to access a remote store (usually username+password)

If you enter it directly in the shortcut, you should also be able to provide it as an commandline argument:

duplicati --settings-encryption-key="password"

The reason for the other ways to provide this is that different setups require different levels of protection, and some might not want to have the password written into the shortcut, and environment variables and the preload file is ways to achieve this.

If you have it working, that is fine. The major issue the encryption key is for, is to protect the secrets inside the database, should it ever leave your system.