Server Argument Security

I’m a bit concerned by the useage of passwords in the command line. Most OSes, by default, show the command line parameters to all users. If duplicati has passwords defined in the executed command line, that means either the --webservice-sslcertificatepassword or the --webservice-sslcertificatepassword could me seen by any user logged into the machine running duplicati.

Possible fixes:

  • Add a command line option to define a file where credentials are stored. Then the password file can be subject to file permissions. (Recommended)
  • Allow the user to set environmental variable in the shell before executing duplicati executable. This will not show up in a process list. As long as it isn’t set a system-wide variable, it could be limited to the that specific shell instance. I’m not sure how easy this is with some OSes (Windows).

This is already supported:

> Duplicati.CommandLine.exe help passphrase
  --passphrase (Password): Passphrase used to encrypt backups
    Supply a passphrase that Duplicati will use to encrypt the backup volumes,
    making them unreadable without the passphrase. This variable can also be
    supplied through the environment variable PASSPHRASE.

> Duplicati.CommandLine.exe help auth-password
  --auth-password (Password): Supplies the password used to connect to the
    server
    The password used to connect to the server. This may also be supplied as
    the environment variable "AUTH_PASSWORD".

You can also configure it from a file if you prefer:

> Duplicati.CommandLine.exe help parameters-file
  --parameters-file (Path): Path to a file with parameters
    This option can be used to store some or all of the options given to the
    commandline client. The file must be a plain text file, UTF-8 encoding is
    preferred. Each line in the file should be of the format --option=value.
    The special options --source and --target can be used to override the
    localpath and the remote destination uri, respectively. The options in
    this file take precedence over the options provided on the commandline.
    You cannot specify filters in both the file and on the commandline.
    Instead, you can use the special --replace-filter, --append-filter, or
    --prepend-filter options to specify filters inside the parameter file.
    Each filter must be prefixed with either a + or a -, and multiple filters
    must be joined with :
    * aliases: --parameter-file, --parameterfile
1 Like

Does this also apply to the server executable ? The documentation only mentions for the CLI.

@kenkendk I can’t find any documentation that any of the previously mention parameters apply to the server executable. Are they just undocumented or do they not exist?

They do not exist. The server executable hosts a scheduler (among other things) that run backup tasks. The options are supported by each job, but not by the server (it runs as a single instance, serving multiple jobs).

The commandline version runs fully “headless” in that it does not (and cannot) interact with the server.

My issue is with the having the PKSC12/PFX password in the clear for the TLS certifcate and for the webadmin password being in the process list for any logged in user to see for the whole runtime of the server.

If the server executable could get the --parameters-file option that would resolve all of these issues at once.

Okay… Looks like I’ll open an enhancement request on GitHub.

Opened enhancement: Server needs --parameters-file argument · Issue #2928 · duplicati/duplicati · GitHub

1 Like

Renamed topic for better clarification

3 posts were split to a new topic: Duplicati environment variable security