Hi Pectojin,
Thanks for the explanation. Sadly, once seen, the elephant can’t be unseen.
My disappointment was so great that I was unable to reply immediately. I had to think things through first.
Adding a password to the user interface won’t stop anyone from decrypting any Duplicati backup. Since Duplicati is open source and freely available, anyone can download and install it on another machine, and use option 3 to decrypt anyone’s Duplicati backup without any password.
I’m curious: what is the purpose of all the encryption if it can be bypassed so easily? One can just as well backup the data without any encryption, and it would likely be faster too.
And I wonder: If any Duplicati user should discover that all that wonderful encryption gives a false sense of security (as in zero security), will they continue to use it?
But let’s forget about the elephant in the room for a moment. Let’s concentrate on what can be done to fix this. Some thoughts:
Can Option 3 be left out of the product? That would immediately make it somewhat secure, as both Option 1 and 2 requires a password. But since Duplicati is open source, any programmer can take the code and add Option 3 back again. Duplicati will have to change radically to prevent that.
Can the “connection info on the disk” (as you call it) be encrypted using the same password? That should make it secure. Once the keys to the castle are decrypted, it can decrypt the backups and the restore can begin.
I take my hat off for the programmers who coded Duplicati. Amazing skill, great features! It shows so much promise! But the job is not done yet! Back to the drawing board! This is a beta, after all. There is room for improvement.
In the meantime, I’ll continue to use Duplicati for its deduplication features, but not without encrypting the backup drive with VeraCrypt first. One of my hopes for Duplicati was that I could skip the VeraCrypt step, as it is hard for users to understand and use. In my experience, backups simply won’t get done if they have to mount the backup drive first.
I’m looking forward with anticipation to see how Duplicati will change as a result of this post. Blessings and grace upon everyone who will help fix this!
Zero