I can add new keys to the login keychain under linux either through seahorse (the GUI), or through the CLI:
secret-tool store --label "duplicati db" some-key some-value
where some-key some-value is a key-value pair I choose to refer to the key.
Now my question: What do I provide as ${key-name} for the settings encryption key? Any combination of some-key and some-value did not work and results in the message:
No database encryption key was found. The database will be stored unencrypted. Supply an encryption key via the environment variable SETTINGS_ENCRYPTION_KEY or disable database encryption with the option --disable-db-encryption
Is your shell one of the common ones that will take ${key-name} as a parameter expansion?
Duplicati’s choice of dollar sign as its prefix can be changed with this, per the command’s help:
--secret-provider-pattern: Use this option to specify a pattern for secret provider options. The pattern is used to find values that are intended to be translated by the secret provider. Patterns are treated as a prefix, with support for braces
Easier (if applicable) protect-from-shell might be backslash-before-dollar, or single-quote-wrap.
If this is only a libsecret problem, I don’t have it, but I used a file-secret provider. It worked, confirmed by seeing the secret provider method matched prior --settings-encryption-key.
The secret provider will find the three keys prefixed with $ and look them up with the secret provider.
but that only works if the shell hasn’t eaten the $ in a probably-futile attempt to obtain a value.
Per the documentation, it looks like just a dollar sign and key name. I don’t see it using braces.
You can see what you’re running by adding an echo in front of the duplicati that starts line.
On that note, the manual looks like it’s using duplicati where it ought to be duplicati-cli, attempting to run a backup command. I don’t think the Tray Icon can run such command lines.
Ok, after some tinkering (and asking LLMs about the source code), I got it to run eventually. I think the documentation on this could be heavily improved, though, as this is not obvious at all.
Here’s a short guide:
Preferably use standard shells like bash or sh (e.g. zsh didn’t like the ? in commands).
Check in seahorse how your default collection (=keyring) is called. It shows up as a folder in seahorse. For me it’s called login.
Add new password in seahorse or in the terminal via $ secret-tool store --label="Key-Label" some-key some-value. Remember the label!
Check if the key can be found through $ duplicati-secret-tool test libsecret://?collection=login "Key-Label". Use the label (here: Key-Label)!
For pattern substitution through the secret provider, choose a secret-provider-pattern that is not already used by your terminal. I.e., don’t use the default ${} if you’re in a linux terminal! I used %{}.
Refer to the settings-encryption-key by the label you gave it before!