Error: Failed To Decrypt Data (Invalid Passphrase?)

This issue has been posted about several times, but I don’t see any resolutions yet. My laptop has been getting a blue screen of death (Windows 10) lately. I later discovered it was bad RAM. As I was getting ready to run some hardware tests, I did a manual backup with Duplicati as a precaution. That’s when I noticed Invalid Passphrase issue had recently started.

I don’t see anything new that caused it to start in the logs. Assuming the BSODs are maybe to blame. I was not able to complete a new backup, or recover any files, or repair the database. I was using version 2.0.3.3. The backups would run a long while before finally throwing the error at the “deleting unwanted files” stage.

Error: Failed to decrypt data (invalid passphrase?): Message has been altered, do not trust content

I confirmed I could manually decrypt the files using AESCrypt for Windows, so I know the password is valid. I have it stored in my password manager.

I recreated the database which completed successfully. This allowed me to complete one backup without any errors/warnings on the profile. It also allowed me to restore files from old backups which did not work before. Any subsequent backups received the error again. I have upgraded to version 2.0.5.1 and done a recreate and successful backup twice now, with all subsequent backups failing.

Anybody have any ideas of what can be done without starting a new backup? This backup is over 200GB off-site which would take me 3 days at full bandwidth to re-upload.

Hello, we have seen several posts recently where people have this issue when trying to restore data, and it turned out to be caused by a browser password manager. Can you try either deleting the password manager entries tied to the Duplicati URL, or temporarily disabling your password manager? Let us know if it makes any difference.

Hello, this is happening with Duplicati running as a service in the background as well. The password manager and the browser are closed while the service is running over night.

Oh, sorry I didn’t read your post carefully and assumed you were trying to do a restore operation. So this is happening while you do a backup, I’m guessing during the verification phase (at the end of the backup job).

You may want to re-save the correct encryption password in your backup job configuration. Make sure your password manager is not running at the time so it doesn’t mess with that field.

No problem. I tried to restore as well, just to confirm the backup is good. The restore and backup both fail unless I recreate the database first. And yes, the error comes near the end of the backup. I noticed it after it showed “deleting unwanted files” for a while.

I did un-hide the password in the field and confirm that it’s accurate with what I have in my password manager. It is. I tried what recommended with no change. I’m pretty sure my case is not related to the password manager.

The logs show that one specific dblock keeps trying and failing. It started one more, then failed.

Mar 23, 2020 3:01 PM: Operation Get with file duplicati-b895695fcf24949f7ae65a862f3b3f2ff.dblock.zip.aes attempt 5 of 5 failed with message: Failed to decrypt data (invalid passphrase?): Message has been altered, do not trust content
Mar 23, 2020 3:01 PM: Backend event: Get - Started: duplicati-b89db3cef5e624fee8079d20eaa7b4548.dblock.zip.aes (249.76 MB)
Mar 23, 2020 3:01 PM: The operation Backup has failed with error: Failed to decrypt data (invalid passphrase?):

If it’s only a problem with this single dblock, then maybe it is corrupt due to the bad RAM you had. You can run the “affected” command to see which files this impacts.

In the web UI, click on your backup set then click the blue “Commandline…” link. On the next screen change the dropdown to “affected”. Clear the contents of the “Commandline arguments” box and paste the name of the dblock file in there. Then scroll to the bottom and click the blue “Run “affected” command now” button.

The bad RAM could definitely be the issue. I’m looking for a motherboard replacement now, but still have to use this laptop to work until then. Hopefully it won’t cause more issues.

Command line is a very useful feature that I was not aware of. There looks like a ton of options worth playing with in there.

In this case, what would you recommend next? I ran the --full-result argument to see the full report. There are 33 items listed. Most are junk I can just delete, but my .OST file and several folders I need to keep (like my pictures folder) are listed. No actual pictures inside the folder are listed though.

I believe the course of action is to delete the bad dblock, and then run the purge-broken-files command. (You may want to run list-broken-files before purge-broken-files to see what will happen.)

But this is uncharted territory for me, I’ve never had the need to use the command myself. @ts678 may have other thoughts, I believe he has helped users with these commands in the past.

Thank you. If I just rename the dblock, can I put it back if the delete and purge fails, or am I likely risking breaking the whole backup? I have a second backup locally, but this is my offsite backup so if I break it I’ll need to go physically get the hard drive (half hour away) and re-seed it.

Recovering by purging files is the relevant manual section (but other parts of that page are related).

However…

I know you tested a dblock with AES Crypt. That might be good for this file too. Also, look at its time if destination allows it, so that you can estimate when it was uploaded. Is it old, or in bad-memory time?

Duplicati rarely downloads files, and has no other way to test that they are as intended. After backup, Verifying backend files is done, but its sample size is small by default. It can be raised for a long test.

The TEST command is also available if you want to do a standalone test that’s not part of the backup.

Compacting files at the backend can also download, during a longer “Deleting unwanted files” phase.

Restore doesn’t prove intact backup unless you use –no-local-blocks or restore onto another system.

Renaming it with a different prefix (e.g. hidden-) should hide it because it’s not this backup’s –prefix. That will keep it around in case we want it later. But earlier comment about downloading will work too.

EDIT:

To add to the mystery, throttling upload (if you ever did) could cause upload corruption before 2.0.5.1.
This would result in hidden damage which would be discovered later during test, compact, or restore.

Tank you for the suggestions. I hope to check all of this out soon.

Oddly enough, although nothing else has changed, I can suddenly no longer load the web interface for Duplicati. I have restarted the service and the PC with no change. The service says it’s running, but backups don’t trigger either.

I may have to try reinstalling it. I’ll get back as soon as I can. I’m just trying to hang in there until my new motherboard arrives for now.

I assume service status was from Task Manager Services tab or Services tool linked on there.
That tool could attempt to add some logging to file after Duplicati.WindowsService.exe launches Duplicati.Server.exe. Duplicati.WindowsService.exe shows how to do that at initial service install, however the Windows Services tool lets you amend a startup line (Path to executable) later.

I don’t know if you also run Duplicati.TrayIcon.exe. If so, a full set of processes is shown under
[SOLVED] Is it ok that I see 5 processes of Duplicati in Windows Task manager?

What happens? Is there an error message (like you get with service down), or does it sit silently?
How to do a hard refresh in Chrome, Firefox and IE? might help if it gets stuck. If it can’t, logs at Duplicati level for web server startup and browser activity are pretty minimal, but maybe can help.

The netstat command can show if anything is working at the usual Duplicati port (probably 8200). Because you run a service, you probably need an Admin prompt in order to look at Duplicati use:

C:\>netstat -ano | findstr 8200
  TCP    127.0.0.1:8200         0.0.0.0:0              LISTENING       4704
  TCP    127.0.0.1:8200         127.0.0.1:57070        ESTABLISHED     4704
  TCP    127.0.0.1:8200         127.0.0.1:57071        ESTABLISHED     4704
  TCP    127.0.0.1:8200         127.0.0.1:57072        ESTABLISHED     4704
  TCP    127.0.0.1:8200         127.0.0.1:57073        ESTABLISHED     4704
  TCP    127.0.0.1:8200         127.0.0.1:57074        ESTABLISHED     4704
  TCP    127.0.0.1:8200         127.0.0.1:57075        ESTABLISHED     4704
  TCP    127.0.0.1:8200         127.0.0.1:57401        ESTABLISHED     4704
  TCP    127.0.0.1:8200         127.0.0.1:57402        ESTABLISHED     4704
  TCP    127.0.0.1:8200         127.0.0.1:57554        ESTABLISHED     4704
  TCP    127.0.0.1:8200         127.0.0.1:57567        ESTABLISHED     4704
  TCP    127.0.0.1:57070        127.0.0.1:8200         ESTABLISHED     71936
  TCP    127.0.0.1:57071        127.0.0.1:8200         ESTABLISHED     71936
  TCP    127.0.0.1:57072        127.0.0.1:8200         ESTABLISHED     10664
  TCP    127.0.0.1:57073        127.0.0.1:8200         ESTABLISHED     10664
  TCP    127.0.0.1:57074        127.0.0.1:8200         ESTABLISHED     10664
  TCP    127.0.0.1:57075        127.0.0.1:8200         ESTABLISHED     10664
  TCP    127.0.0.1:57401        127.0.0.1:8200         ESTABLISHED     19088
  TCP    127.0.0.1:57402        127.0.0.1:8200         ESTABLISHED     19088
  TCP    127.0.0.1:57554        127.0.0.1:8200         ESTABLISHED     19088
  TCP    127.0.0.1:57567        127.0.0.1:8200         ESTABLISHED     4704

C:\>

I am running Duplicati as a server. I originally set it up using the “Duplicati.WindowsService.exe install” command.

I’m not using the TrayIcon normally. I did try running it separately from the service and was able to connect to it on port 8300 as a test. I put --no-hosted-server in the Target on the shortcut and ran it that way as well to connect to the service. Task manager shows 2 Duplicati processes start and run for about 5 or 6 seconds before they disappear without error.

Trying to connect to 8200 from any browser just gives that browsers error that the page can’t be displayed because the server can’t be found basically. I did also run netstat before and was unable to find any server running on 8200 or 8300.

I’ve never had this issue before either. I’ve been running Duplicati as a service on this PC for well over a year. On my other computer, I always have to restart the service once after the PC boots to enable a connection to port 8200, but it always works after that. I chalked that up to a fluke because I did my original setup on that PC and had a lot of trial and error before I got everything right.

It probably ran out of retries when trying to get to Server on 8200 which was found to not be working.
Below points out that retries are finite when server isn’t there (or in your case, can’t be connected to).

It sounds like your Duplicati.GUI.TrayIcon moved from first-try 8200 to 8300 all by itself, which usually means something else got 8200 first, yet you find no Duplicati server on 8200 with browser or netstat.
Did you test the way I showed, so that any process having anything to do with port 8200 would show?

Ubuntu 18.04, Duplicati Service did not start anymore was fixed, possibly by restarting the system, but other things were done too. You can also see how you could edit in a custom –webservice-port to test, editing the service startup as above. For example, move it to 8400, restart, and see if you can connect.

Or if convenient enough, restart the whole system to see if some transient use of port 8200 goes away.

If the service doesn’t stay up at boot, try changing it from Automatic to Automatic (Delayed start).
Windows Service fails to start #2717 is my explanation, and has a couple of workarounds one can use.

Thanks, I’ll take a look at all of this as soon as I have time.

Sorry, I should have been more clear on this. The service ran and all scheduled backups ran, but the web interface would not load until the service was restarted once. I haven’t accessed the web interface in a while on that PC, so I just tested it again. It is now working normally after a reboot. It probably got fixed when I did the last Duplicati upgrade. More likely a Windows 7 issue than a Duplicati version issue I think.

Just an update. Multiple reboots didn’t fix it. I knew nothing should be running on port 8200 except Duplicati, so I just tried reinstalling it. After the reinstall it is working normally again.

Additionally, last night my backup succeeded for the first time in 6 attempts without me rebuilding the database. I just re-ran it manually and it failed though.

I did replace my motherboard yesterday as well (RAM tested good on the new one). I had some corrupted system files according to windows command “SFC /scannow”. After much work, I was able to repair all of those files as well, so hopefully my system is solid again. I will be viewing the original advice on fixing the dblock issue next. I’ll report back.