Duplicacy CLI 2.1.2 has been released


Duplicacy CLI 2.1.2 can now be downloaded from the releases page.



This version was mainly made to support the new web-based GUI, but it was also overdue after so many fixes and improvements since 2.1.1. Of all these changes I wanted to bring to your attention one that is security-related: Padding size was incorrect -- didn't pad to multiples of 256 · gilbertchen/duplicacy@21b3d9e · GitHub

This bug caused Duplicacy to leak more information on the sizes of chunks. It is a known technique that an attacker can confirm the existence of a file by splitting the file in the same way as Duplicacy does and then compare the resulting chunk sizes with those from the encrypted storage. If chunk sizes aren’t rounded to multiples of 256 then this confirmation-of-a-file attack is more likely to succeed.

Fortunately, Duplicacy always generates a random 256 bit chunk seed when initializing an encrypted storage. This chunk seed is stored securely in the config file, and it determines how the chunks are split. So an attacker would never be able to figure out how Duplicacy splits chunks without breaking the encryption around the config file. Therefore I think the impact of this bug was minimal and there is no action to take.