Hi, I’m new here, so apologies if this has been discussed before.
I don’t need the ability to decrypt the server’s database myself, as it can usually be recreated without much effort.
My main concern is preventing an attacker from accessing the encryption key used for the server’s database.
From what I’ve seen, all the current methods for storing the encryption password could be compromised if an attacker gains access to the system.
Is there a way for Duplicati to generate a random encryption key that only it can use, without storing the key in a way that could be easily accessed by an intruder?
That is generally really hard. If one application on a system can see a secret, a totally compromised system can be forced to reveal the secret to another process.
This is even true for the case where a hardware module is used to guard secrets.
I think the best you can do is to guard it in such a way that anyone who has not compromised your account cannot access the encryption key. My suggestion for gaining this is to use the secret provider and then using your operating system keychain to provide the encryption key.