Some security related questions regarding using GPG encryption:
Where are the GPG keys stored? I’d like to make an extra backup of the private key in a key safe.
How is the private GPG key protected? E.g. when a password is used for the web interface, does that also encrypt the private GPG key [assuming with AES256]?
Can I select/create my own GPG keypair [to than use by setting GPG specific options in the job configuration]?
Is there one GPG keypair per backup or one per host [unless otherwise specified in the job configuration]?
What is needed to restore a backup that was encrypted using GPG? (probably answered by question 1)
Did not find the answer in the documentation, forum or sqlite databases for the backup itself.
I think 1, 2, 3, and 4 assume asymmetric encryption.
By default Duplicati uses symmetric encryption, so there is no private key, just as shared password. You can use asymmetric encryption as explained here:
If you use asymmetric encryption, the key is handled by GPG and not stored in Duplicati.
For (2) if you use symmetric encryption, the passphrase is stored in the database:
For (5) you would need the private key if you are using asymmetric, or the passphrase if you are using symmetric.
Perfect! Works like a charm. Very, very nice (also like the error reporting when keys are missing at backup/restore) The links provided everything I needed to get GPG encryption working. Apparently my creativity was too limited when searching the forum. Thanks for the apt and complete reply @kenkendk!