Duplicacy restore of encrypted backup fails with error

I am a new Duplicacy CLI user. I recently set up Duplicacy to perform backups to my Microsoft OneDrive storage backend using a key pair generated with OpenSSL. After successfully getting unencrypted backups and restores to work, I moved on to encrypted backups. The OpenSSL application requires input of a passphrase to successfully generate a private key. I am able to generate the keys and then use them to successfully complete an encrypted backup of a “test” directory.

However, I am unable to get Duplicacy to succesfully complete a “restore.” Each time I attempt the restore using the cmd: “duplicacy restore -r 1 -key private.pem,” Duplicacy fails with the error message: “Unsupported private key type ENCRYPTED PRIVATE KEY in private.pem.” I am entering proper Duplicacy storage / openssl passphrases when required by the applications. I’ve not found any similar problem reports and solutions through internet searches. Any suggestions for dealing with this issue would be greatly appreciated.

How did you generate the private key? Duplicacy is expecting the private key file to start with -----BEGIN RSA PRIVATE KEY-----. You should be able to convert your key to this format with openssl.

Thank you, I will check.

GChen - Thank you for your help. I modified the key file header to match at the begin and end with what you listed. Now I get a different error message: “Failed to parse the private key in private.pem: asnl: syntax error: sequence truncated.”

That error means you can’t simply change the file header. The data formats are different. If you tell me how you generated the key file maybe I can figure out what openssl command to convert the key file.

After doing a complete re-compile and install of OpenSSL from source (Windows 10 x64). I used the following commands to create new key files:

Private Key
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key.pem

Public Key
openssl pkey -in private-key.pem -out public-key.pem -pubout

I can’t recall exactly how I ended up with the command format above. Subsequently, I used these for a test backup and restore and ended up with the same error outcome.

After reading your last note, I revisited the Duplicacy announcement on RSA encryption and compared my key generation commands with those in the Duplicacy announcement and found that somewhere in my troubleshooting effort, I had modified the key generation commands. Consequently, I retried the original Duplicacy commands as follows:

openssl genrsa -aes256 -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

And, I’m happy to say that my test backup and subsequent restore worked with these new keys.

Thank you for your help. Your notes and questions guided me to the solution.

Any insight into why the differences in the key generation commands caused the issue?

And, I’m using the following filter.txt file, but it does not appear to be excluding any of the files listed in the filter file (located in the .duplicacy folder). Any insights on why the filters.txt file is not working? All the “excluded” files appear to be getting included in the backup, since I delete them prior to doing the restore. After the restore, they reappear.

Filters.txt file listing:

'# Exclude files and folders that begin with a dot
'# List Specific Files and Folders to Exclude From Backup
'# Back up everything else in this repository (folder up one level)

While the filters file is a text file, you should omit the file extension .txt and just call it filters.


I will make that change. Thank you!