S3 Access Keys in Backup Job

When you add your S3 keys to S3 buckets for a backup job, where are those stored and how. I hope these are not store in plain text anywhere. Can I get verification how these are stored and used?

Welcome to the forum @jcreamer

I haven’t tested this (I don’t even use S3) but you can if you like. Settings for backups are in an SQLite database called Duplicati-server.sqlite whose location varies depending on OS and installation method. Windows for a basic install is in C:\Users\<Duplicati user account>\AppData\Local\Duplicati

On Windows, the database is encrypted, but the encryption algorithm is weak and it has a fixed default password which you can change. The intent is to defeat casual browsing and malware string scanners.

Anyone who can start Duplicati can start it with --unencrypted-database, to use an SQLite DB browser.

For Windows service install, Windows ACLs also offer some protection, because the database is in the profile for the SYSTEM account, thus is not accessible except to a process running as an Administrator.

Another way for a user with access to Duplicati’s web UI is to look at the UI or export the backup job for command line use, but just look at the secrets instead, which the command line run would need for use. Password protection is possible but there’s not yet a regular-user versus well-trusted administrator split.

Defeating a determined adversary on the system is pretty much impossible because they can just grab whatever decrypted secrets they like just before Duplicati (or any program) passes them on for S3 use:

AmazonS3Client (string, string, AmazonS3Config)

Constructs AmazonS3Client with AWS Access Key ID, AWS Secret Key and an AmazonS3Client Configuration object.

Fix not revealing stored passwords from the UI [$100] #2024 also has an interesting note on someone who keeps the DB in a VeraCrypt volume. That should be good for stopping a certain class of attack…