No is the short answer. Probably not enough of an answer. Long one takes time to research and write.
appears to be stored as a hash and a salt in the server database Duplicati-server.sqlite. My example is:
The hash is Base64 encoded in storage. Transmission from browser to server uses one-use nonce too:
This is stored better on Windows, where at least it uses an included version of System.Data.SQLite that allows the whole server database to be weakly encrypted using a fixed key (or your choice, if you prefer).
--server-encryption-key
This option sets the encryption key used to scramble the local settings database. This option can also be set with the environment variableDUPLICATI_DB_KEY. Use the option--unencrypted-databaseto disable the database scrambling.
Systems that are not Windows typically do not ship a version of SQLite that supports the data scrambling.
Windows being very uniform allows Duplicati to provide one, however third-party tools to read it are scarce which is a good thing because it impedes snooping with DB browser, and basic scrambling and database usage impede generic automated password scanning. It’s not foolproof, as one can turn off the encryption.
Are in some cases protected by the DB scrambling for all providers, and for some providers OAuth usage adds an additional level of difficulty as the actual credentials are not saved at the local system as you saw.
Credentials typically have to be presented directly to the storage provider’s API, so at some point they are memory-resident and could be stolen by an advanced attacker. Duplicati needs to authenticate to provider.
They’re not directly compromised, as they’re not in the database. An advanced attacker would have to get them from memory, or try to steal them from the OAuth server (assuming they were able to steal AuthID).
Yes, and to anything else handled by the Duplicati OAuth Handler. You can see a list (and a UI) at that site.
Neither. 1.3.4 is a 2013 release that is not supported. There aren’t even enough volunteers to support 2.0 ideally, which is one reason it’s still Beta (and response times can be less than ideal to forum and Issues.
If 2.0 works well enough, use it. There can be bugs reported, but usage is at 3 million backups per month, meaning percentage of problems is pretty low (unless you’re unlucky). Multiple backups is safest anyway.
Depending on what level they get to, system might be completely compromised, complete with keyloggers plus custom malware inserted or replacing original software. Duplicati can’t solve deep OS-level attacking which might even be done at the system drive level (encrypting drive will help) by reading/changing its files.
Unless you’re a high-value target, one typically uses layered defenses and hopes the attackers don’t get in. Just be aware that once somebody or something gets access, a determined attacker may often get more. Automated tools are less sophisticated, but a live attacker in your systems is a very bad security situation.