There are some posts asking about the password, but I’m only using the UI, not the CLI, so it wasn’t clear to me. Are these passwords used to encrypt the backup end to end? What algorithms/cyphers are used for this encryption?
Yes, it’s equivalent to init -e. Read more about it here.
Basically, the password encrypts the config file on the storage, which in turn stores all the keys mentioned there.
1 Like
Thank you. What’s the advantage of using RSA Encryption here then?
Is it possible to change this password? I can’t find it in the web UI.
To change the password, you’d have to resort to using the CLI, which you can still do.
RSA encryption is a separate form of encryption in addition to the main encryption - the main purpose (IMO) is if you have an untrusted backend storage (like a NAS/server) and need to do maintenance and other tasks such as prune, check - that storage could run Duplicacy without compromising the RSA encryption key.
You’d need the RSA key, which can be stored away from the backend server, to decrypt when doing restores etc…
1 Like
Thank you Droolio, but I’m not sure I follow when RSA would be advantageous. I’m backing up my Windows computer no a local NAS and S3, for example. What’s the vulnerability that would affect me if I’m not using RSA? Let’s say the S3 gets compromised or someone breaks into my house and runs away with the the NSA (and in both cases the encryption at rest gets circumvented somehow). How does the RSA encryption protect me above the encryption password (which ultimately uses AES-GCM)?
If you’re just using a local NAS or S3 (AWS?), and only 1 Duplicacy client, then RSA isn’t gonna help you much.
RSA encryption is asymmetric - you can split up the keys and using the public key to encrypt data, and only the private key can be used to decrypt. That way, you can keep the public key on untrusted systems and the private key secure with you.
One use case is if you have multiple Duplicacy clients - say a family member’s PC - backing up to a shared storage. They can backup to the storage because they have the RSA public key and the base encryption password, but they can’t restore (especially your) data without the private key, which you keep to yourself.
Another use case is if you have a hosted VPS and need to do maintenance operations such as prune and a basic check directly on that device. Again, this can be done without the private key residing on the machine.
If you just use basic encryption and S3 gets ‘compromised’, nothing happens, coz no keys are stored on there anyway. Nobody can see your data without the password.
If someone physically breaks into your house, it won’t matter what keys are used since they’ll have physical access to the original data anyway. 
(Unless your system is encrypted then that’s ok I guess - if your RSA key is stored alongside it - though hopefully you have an offline backup say on a USB stick or in a password manager, lest you’ll not be able to recover!)
The major benefit is if you have multiple PCs to backup; using RSA effectively protects other PCs’ data being read from the storage, while still allowing clients to backup to it.
1 Like
I do intend to have my family backing up to AWS S3 too. In reality, everyone will have their own user, key, and bucket. Let’s ignore that.
If I’m not using RSA, to restore from the backup, wouldn’t anyone else also need the main password, to unlock the various keys used for encryption (AES and all that)?
Fair enough. In that case, separate buckets would suggest no need for RSA encryption then.
Correct, you’d still need a the main encryption password. As you’re not storing that password on the buckets, the data will be safe from prying eyes even if access was compromised.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.