How to enter encryption passphrase from command-line?

Support
1

I’m trying to use duplicati-cli to search a remote SSH backup (database is local), using the following command-line:

duplicati-cli find ssh://[URL]/[PATH] --ssh-keyfile .ssh/id_dsa.pub --enable-module=console-password-input '*.txt'

I get the following error. Is there some way to have the CLI prompt me for the encryption passphrase? I thought console-password-input might do it, but apparently not.

Enter encryption passphrase: 
System.InvalidOperationException: Cannot read keys when either application does not have a console or when console input has been redirected from a file. Try Console.Read.
   at System.Console.ReadKey(Boolean intercept)
   at Duplicati.Library.Modules.Builtin.ConsolePasswordInput.ReadPassphraseFromConsole(Boolean confirm)
   at Duplicati.Library.Modules.Builtin.ConsolePasswordInput.Configure(IDictionary`2 commandlineOptions)
   at Duplicati.Library.Main.Controller.SetupCommonOptions(ISetCommonOptions result, String[]& paths, IFilter& filter)
   at Duplicati.Library.Main.Controller.RunAction[T](T result, String[]& paths, IFilter& filter, Action`1 method)
   at Duplicati.Library.Main.Controller.List(IEnumerable`1 filterstrings, IFilter filter)
   at Duplicati.CommandLine.Commands.List(TextWriter outwriter, Action`1 setup, List`1 args, Dictionary`2 options, IFilter filter)
   at Duplicati.CommandLine.Program.RunCommandLine(TextWriter outwriter, TextWriter errwriter, Action`1 setup, String[] args)
2

It looks like you’re being prompted for a passphrase then the error happens. Does the error come up directly or are you typing something in after what looks like an “Enter encryption passphrase:” prompt?

3

It isn’t giving me an opportunity to enter the encryption passphrase. The prompt and error appear together immediately. I assume the “cannot read keys” error means the way the command is invoked isn’t allowing for keyboard input for the encryption passphrase.

4

Thanks for the details. Does the error change if you don’t explicitly enable the console password input?

5

Hi @ajkessel. The switch you’re looking for is:

–passphrase
Supply a passphrase that Duplicati will use to encrypt the backup volumes, making them unreadable without the passphrase. This variable can also be supplied through the environment variable PASSPHRASE.

6

Same error whether I include --enable-module=console-password-input or not.

7

I try to avoid putting secure passphrases in the clear–setting an environmental variable means the passphrase is then stored in the clear in my bash command history, etc. But I tried it for testing purposes and now get a different error (same result if I include the passphrase on the command-line with --passphrase rather than in the environmental variable; it also doesn’t seem to matter whether the passphrase is correct or not):

System.NullReferenceException: Object reference not set to an instance of an object.
   at Duplicati.Library.Main.Controller.ValidateOptionValue(ICommandLineArgument arg, String optionname, String value)
   at Duplicati.Library.Main.Controller.ValidateOptions(ILogWriter log)
   at Duplicati.Library.Main.Controller.SetupCommonOptions(ISetCommonOptions result, String[]& paths, IFilter& filter)
   at Duplicati.Library.Main.Controller.RunAction[T](T result, String[]& paths, IFilter& filter, Action`1 method)
   at Duplicati.Library.Main.Controller.List(IEnumerable`1 filterstrings, IFilter filter)
   at Duplicati.CommandLine.Commands.List(TextWriter outwriter, Action`1 setup, List`1 args, Dictionary`2 options, IFilter filter)
   at Duplicati.CommandLine.Program.RunCommandLine(TextWriter outwriter, TextWriter errwriter, Action`1 setup, String[] args)
8

That is a bug caused by the auto-updater being redesigned. It basically spawns a new process and redirects the stdin/stdout, and this does not work with ReadKey() as the error indicates. I need to rewrite the console-password-input module to fix this.

A workaround is to disable the autoupdater by setting the environment variable:

export AUTOUPDATER_Duplicati_SKIP_UPDATE=1

Then you run directly in the process and stdin/stdout are not redirected.

I cannot reproduce this. Can you post the actual commandline (with a bogus passphrase of course) ?

I tried this:

> duplicati-cli backup xyz://test --passphrase=123 .
Fatal error => Backend not supported: xyz

It does not give the crash that you see.

Yes, that is because the environment variable is used to set the --passphrase value internally if it is left empty. The console-passphrase-input module only does something if the passphrase is empty and --no-encryption is not activated.

9

I should clarify that I usually use cygwin, although as described below the problem exists either way. The source system is a Windows 10 box, the target system Debian Linux.

Interestingly, when I run my duplicati command line from a Windows shell, rather than the Cygwin shell, it does correctly prompt me for the encryption passphrase. This is true whether or not I set AUTOUPDATER_Duplicati_SKIP_UPDATE. Specifically, on the Cygwin shell, it won’t let me enter the passphrase whether or note the update environmental variable is set. On the Windows shell, it asks me for the passphrase whether or note the variable is set, but the command overall still doesn’t work, whether I set the passphrase with an environmental variable or a command line.

I get the same error either way:

System.NullReferenceException: Object reference not set to an instance of an object.
   at Duplicati.Library.Main.Controller.ValidateOptionValue(ICommandLineArgument arg, String optionname, String value)
   at Duplicati.Library.Main.Controller.ValidateOptions(ILogWriter log)
   at Duplicati.Library.Main.Controller.SetupCommonOptions(ISetCommonOptions result, String[]& paths, IFilter& filter)
   at Duplicati.Library.Main.Controller.RunAction[T](T result, String[]& paths, IFilter& filter, Action`1 method)
   at Duplicati.Library.Main.Controller.List(IEnumerable`1 filterstrings, IFilter filter)
   at Duplicati.CommandLine.Commands.List(TextWriter outwriter, Action`1 setup, List`1 args, Dictionary`2 options, IFilter filter)
   at Duplicati.CommandLine.Program.RunCommandLine(TextWriter outwriter, TextWriter errwriter, Action`1 setup, String[] args)

The command-line I am trying:

duplicati-cli find ssh://192.168.98.1/media/veracrypt1/carbon --ssh-keyfile .ssh/id_dsa.pub '*.txt'

(Cygwin shell)

or

Duplicati.CommandLine.exe find ssh://192.168.98.1/media/veracrypt1/carbon --ssh-keyfile c:\cygwin\.ssh\id_dsa.pub '*.txt'

(Windows shell)

I’ve also tried it with --passphrase ‘*****’ in both command lines.

Either way I get the NullReferenceException error.

10

A quick guess, did you have --passphrase 1234 instead of --passphrase=1234 ?

Anyway, I cannot reproduce, so is this for the latest canary build? (I assumed it was).

11

I tried both --passphrase ‘1234’ and --passphrase=‘1234’.

Version is 2.0.2.1_beta_2017-08-01 on my Windows box (source/client)
Version is 2.0.2.12_canary_2017-10-20 on my Linux box (target)

Maybe that’s the problem? Does it even execute Duplicati on the ssh target? I had assumed it was just accessing the files on that end but not any local Duplicati binaries.

12

Correct - Duplicati only accesses the files on the destination, it won’t interact with any potential Duplicati install on the destination.

13

Should I switch my Windows box to canary build? I had been sticking to beta on the idea that it should be more stable.

14

I use the canary channel myself and haven’t had any issues, but then I’m doing pretty straight forward backups (local source, SSH destination, etc.).

If you have the time, I’d recommend using the zip of the latest version from here Releases · duplicati/duplicati · GitHub. You can run it from the unzip folder if you want which makes it easy to do testing of specific functionality rather than updating your “live” installation.

Note that this will use the same save-file location as your normal installation so be careful with any job changes.