Duplicati.Server.exe talks about
--server-encryption-key
This option sets the encryption key used to scramble the local settings database. This option can also be set with the environment variableDUPLICATI_DB_KEY. Use the option--unencrypted-databaseto disable the database scrambling.
and
--unencrypted-database
Disables database encryption.
which make the weak encryption slightly more secure (or at least off the default), or turns it off if desired.
Which tool can open encrypted DB talks about the encryption used on Windows, but it’s not high quality.
Duplicati security is more against attacks on the remote backup, and less on attacks on its own system.
The support of CLI use requires the ability of the Duplicati administrator to see their own credentials, etc.
I’m not an IAM expert, and I’m even less an expert on IAM automation, but manual setup won’t scale well.