MacOS Error When Restoring Files Directly from Backup

Support
1

Hi all. Just got a new MacBook (MacOS Sequoia 15.2) and am setting up Duplicati (fresh install, 2.1.0.2_beta_2024-11-29). Using SSH to backup files to a Samba drive on the LAN. Backup works without errors, and I can see the backup files on the NAS drive. But when I try to restore directly from the backup files I get the following errors:

Failed to connect: An error occurred (In a popup - center screen)
Invalid header value: 00-05-16-07-00 (Bottom of screen, with show/dismiss options. "show" does nothing.)

Searching on the errors gave no useful info. Any ideas what may be happening here, and how to get a successful restore from the backup files?

2

Follow-up: it appears that restoring from a named profile works accurately. Just getting the error if I try to restore directly from backup files.

3

Did you try Show? This usually goes to the job log, but on Direct restore there is no job.

If there’s no special casing for that, maybe About → Show log → Live → Error will work.

If you see an error line, clicking on it may expand it to give a better idea of problem path.

4

This involves multiple steps on different screens. Where is failure?

FWIW I can run simple username/password direct restore just fine.

I’m on Canary but I’m not sure SSH is different. I don’t have a Mac.

5

Sorry, got distracted by some other activities. Here’s a screen-by-screen flow of what’s happening:

pic1
pic11184×414 33.3 KB

pic2
pic21470×814 30.9 KB

pic3
pic31450×618 20.3 KB

pic4
pic41638×1340 133 KB

pic5
pic51638×1340 81.3 KB

When I get to the final screen, nothing I click produces any results.

Hope this into helps.

6

The error is caused by the encryption detecting a broken header. The three first bytes are supposed to be AES + v2 giving 41-45-53-02-??.

As you can see the file found has different values, so it cannot be decrypted.
If you add the advanced options:

--log-file-log-level=Verbose
--log-file=<path-to-log-file>

The restore will write log data into the file, and this should narrow down exactly what file is defective. From there, you can hopefully find an explanation for why this file is no longer in the correct state.

Once you identify the file, you can rename the file so it will not be read by Duplicati, and try again.

7

Here is the log from the verbose run:

2025-01-21 16:59:07 -06 - [Information-Duplicati.Library.Main.Controller-StartingOperation]: The operation List has started
2025-01-21 16:59:07 -06 - [Information-Duplicati.Library.Main.Operation.ListFilesHandler-NoLocalDatabase]: No local database, accessing remote store
2025-01-21 16:59:07 -06 - [Information-Duplicati.Library.Main.BasicResults-BackendEvent]: Backend event: List - Started:  ()
2025-01-21 16:59:08 -06 - [Information-Duplicati.Library.Main.BasicResults-BackendEvent]: Backend event: List - Completed:  (526 bytes)
2025-01-21 16:59:08 -06 - [Information-Duplicati.Library.Main.BasicResults-BackendEvent]: Backend event: Get - Started: duplicati-20250121T063000Z.dlist.zip.aes (3.021 MB)
2025-01-21 16:59:08 -06 - [Retry-Duplicati.Library.Main.BackendManager-RetryGet]: Operation Get with file duplicati-20250121T063000Z.dlist.zip.aes attempt 1 of 5 failed with message: Failed to decrypt data (invalid passphrase?): Invalid password or corrupted data
System.Security.Cryptography.CryptographicException: Failed to decrypt data (invalid passphrase?): Invalid password or corrupted data
 ---> SharpAESCrypt.WrongPasswordException: Invalid password or corrupted data
   at SharpAESCrypt.SetupHelper.DecryptBulkEncryptionKeyAndVerifyHMAC(Byte[] data, HeaderEncryptionKey headerKey)
   at SharpAESCrypt.DecryptingStreamInternal.ReadEncryptionHeader(Stream stream, SetupHelper helper, String password, DecryptionOptions options)
   at SharpAESCrypt.DecryptingStreamInternal..ctor(String password, Stream stream, DecryptionOptions options)
   at SharpAESCrypt.DecryptingStream..ctor(String password, Stream stream, DecryptionOptions options)
   at Duplicati.Library.Encryption.AESEncryption.Decrypt(Stream input)
   at Duplicati.Library.Encryption.EncryptionBase.Decrypt(Stream input, Stream output)
   --- End of inner exception stack trace ---
   at Duplicati.Library.Encryption.EncryptionBase.Decrypt(Stream input, Stream output)
   at Duplicati.Library.Encryption.EncryptionBase.Decrypt(String inputfile, String outputfile)
   at Duplicati.Library.Main.BackendManager.DoGetFile(FileEntryItem item, IEncryption useDecrypter, CancellationToken cancellationToken)
   at Duplicati.Library.Main.BackendManager.DoGetAsync(FileEntryItem item, CancellationToken cancellationToken)
   at Duplicati.Library.Utility.Utility.Await(Task task)
   at Duplicati.Library.Main.BackendManager.ThreadRun()

So it is clearly crashing due to the inability to decrypt the file. However, I exported the backup configuration (with passwords) to a local JSON file, then copied the passphrase directly from the JSON file and pasted it into the “Restore from backup files” workflow. In theory, using this passphrase from the JSON should allow for decryption, yet it’s not working. To add to the confusion, when I restore using the “Restore from <named backup>” option, it seems to work fine and gives me the directory/file tree to restore from.

The only thing that may (or may not) be related, is that I don’t have signed certificates on my network. When I do the “from files” restore and enter the SSH destination info, I get a “please verify the cert key” warning. I answer “Yes” to that message and the process keeps going. Not sure if/how that may affect what I’m seeing, but I thought I’d mention that in case it makes a difference.

I’m pretty sure I’ve done a “from files” restore in the past, but I can’t swear to that, so I’m not sure if this is a 2.1.0.2 issue.