Security bug: no password challenge

Duplicati - 2.0.3.3_beta_2018-04-02

Let me start by saying how impressed I am with Duplicati. Well done, guys!

I think I may have found a security bug, though…

During restore, one get 3 options:

  1. Direct restore from backup files…
  2. Restore from configuration…
  3. <My backup job’s name>

When I restore with either 1 or 2, it prompts me for the decryption password.
When I restore using 3, it does not prompt for the decryption password. Which means, anyone with access to my PC could potentially restore my backups.

Is this normal behavior, or a bug?

Zero

Hey Zero welcome to the forum :slight_smile:

When restoring from a backup job Duplicati will read the password out of the database, where it has to be stored for Duplicati to back up without intervention.

If you’re sharing a machine, I’d definitely recommend to password protect your web UI to avoid the exact scenario you’re describing.

I’m not sure specifically protecting restore with a password makes sense in addition to regular login on the web ui. Is there a scenario where a user is allowed to modify how the backup runs but not to restore the files?

Hi Pectojin. Thanks for the welcome and reply!

My PC is password protected. But I fear that someone may grab the hard drive and be able to restore the data elsewhere without a password. Or would the 3rd option not be available to a thief?

I guess I can test that myself :slight_smile:

Zero

If someone steals the hard drive and can read it then it’s fair game. There’s no way to back up without either storing connection info on the disk or storing it in memory. And storing it in memory would be forcing you to enter it each time you want to start Duplicati.

What I meant to say about password protection is that you can add password protection to the user interface to prevent people to access it as easily.

It won’t make a difference if someone steals the disk, but it would prevent people from simply opening the browser on your machine and accessing the data. But, if they’re on your machine, they may already have access to the data on disk provided that Duplicati is running under your user (although they’d have to locate it on disk).

Hi Pectojin,

Thanks for the explanation. Sadly, once seen, the elephant can’t be unseen.

My disappointment was so great that I was unable to reply immediately. I had to think things through first.

Adding a password to the user interface won’t stop anyone from decrypting any Duplicati backup. Since Duplicati is open source and freely available, anyone can download and install it on another machine, and use option 3 to decrypt anyone’s Duplicati backup without any password.

I’m curious: what is the purpose of all the encryption if it can be bypassed so easily? One can just as well backup the data without any encryption, and it would likely be faster too.

And I wonder: If any Duplicati user should discover that all that wonderful encryption gives a false sense of security (as in zero security), will they continue to use it?

But let’s forget about the elephant in the room for a moment. Let’s concentrate on what can be done to fix this. Some thoughts:

Can Option 3 be left out of the product? That would immediately make it somewhat secure, as both Option 1 and 2 requires a password. But since Duplicati is open source, any programmer can take the code and add Option 3 back again. Duplicati will have to change radically to prevent that.

Can the “connection info on the disk” (as you call it) be encrypted using the same password? That should make it secure. Once the keys to the castle are decrypted, it can decrypt the backups and the restore can begin.

I take my hat off for the programmers who coded Duplicati. Amazing skill, great features! It shows so much promise! But the job is not done yet! Back to the drawing board! This is a beta, after all. There is room for improvement. :slight_smile:

In the meantime, I’ll continue to use Duplicati for its deduplication features, but not without encrypting the backup drive with VeraCrypt first. One of my hopes for Duplicati was that I could skip the VeraCrypt step, as it is hard for users to understand and use. In my experience, backups simply won’t get done if they have to mount the backup drive first.

I’m looking forward with anticipation to see how Duplicati will change as a result of this post. Blessings and grace upon everyone who will help fix this!

Zero

That’s not how it works. You configured the backup with your own password, which Duplicati saved in a database on your disk. No one else can decrypt your backup - open source or not - unless they have your password.

Ah! I stand corrected! Thank you!

Zero

While it sounds like things have been figured out I did want to mention that if you wanted to continue with using VeraCrypt to encrypt the backup drive you could use --run-script-before-required and --run-script-after parameters to run command line scripts to mount and unmount the VeraCrypt drive.

Of course those might come with their own sets of security issues, butit’s an option…