The question fits neatly into the title 
I’m on Linux Mint, and have the Duplicati server running via systemd. I assume that means the database where my “sensitive” information is saved is only accessible to root (or sudoers, of course)?
As far as I know you are correct - when run as root databases will be in /root/.config/Duplicati (unless otherwise specified by parameters) so should be as secure as that folder is.
1 Like
Passphrase and backend credentials can be retrieved easily by logging in to the Web UI, no matter where and how the local DB is stored.
To protect this information, don’t use the --webservice-interface=any to start the server and protect the Web UI with a password.
2 Likes