I don’t know how far your key storage question meant to go, but the passphrase story is complex, due to.
Different ways to make a Duplicati backup. The server database is used by the Server – basically in GUI.
CommandLine (like most of them) can have passphrase given as an option on terminal or script, like this:
Supply a passphrase that Duplicati will use to encrypt the backup volumes, making them unreadable without the passphrase. This variable can also be supplied through the environment variable
PASSPHRASE
If a passphrase is needed and is not supplied, the user is prompted to type it (obscured by * for privacy), which means that where it is stored is up to the user, similarly to the above case where an environment variable is set – somehow – from whatever storage the user wants. Another way to set any option is with
Scripts writing new options to their output. For CommandLine, parameters-file can store the passphrase.