Apparently Duplicati saves all passwords (backup, servers, tokens, etc…) as plain text in an SQLite database. This database is encrypted but the program executable can decrypt it easily (correct me if I am wrong). Anyone with a simple read access to you AppData folder, including other Windows users could get this file, decrypt it and then have access to all your secured data.
If you have Windows Pro, Enterprise or Education there is a way to add extra protection to the Duplicati databases by using the EFS file system in a NTFS partition. Just locate the Duplicati configuration database file, right click, properties, advanced and then check “encrypt contents”. Once encrypted the file can be transparently accessed by the logged owner. Not even system administrators can read it (except if they are able to reset your password).
If you run Duplicati as a service you will also need to configure the service to run with your user credentials in order to be able to open the config files.
I think Duplicati could include a “Paranoid” mode that requires a master pass to load the config every time the program runs. This, obviously, would kill the automatic backups but allows the the user to run the program directly from the backup HD without the risk of having any data compromised in case the media is lost.
Yes, you are correct. The file can easily be decrypted; the encryption is weak and only serves to guard against harddisk string scanning, not a dedicated attacker.
So far this is the only drawback to Duplicati I’ve seen. To be fair I don’t know how other backup solutions deal with password storage. My workaround is to use the portable installation mode which moves the AppData folder inside the main program folder, then move that to a VeraCrypt volume. I use Smart Retention, a 3hr setting and an autorun.inf to run Duplicati when the volume opens. It should start missed backups as soon as it starts. Here’s a post with some links at SE: https://softwarerecs.stackexchange.com/a/55070/30586