I have a Duplicate setup on a system that is sending email reports. This works, but it delivers to port 25 on my mail server without any credentials. I’d prefer it to use STARTTLS and use the submissions port, but that requires giving it user credentials. Before I do that, I’d like to know how these are stored to see if this is in any way secure enough.
The configuration is in Duplicati-server.sqlite. On Windows this is obfuscated to protect against simple scan tools. On Linux it is not, and I think it has to do with what SQLite is available. I suspect macOS is similar to Linux. DB Browser for SQLite can test this. If it can read the database, DB is not obfuscated.
Understanding the configuration storage in ~/.config/Duplicati. Can I remove stuff? shows permissions which could probably be cut down to 600 from 644 unless you run tray icon and use web UI password.
Here is one determined user’s attempt to get good encryption, and some discussion of security issues.