Duplicacy restore of encrypted backup fails with error

I am a new Duplicacy CLI user. I recently set up Duplicacy to perform backups to my Microsoft OneDrive storage backend using a key pair generated with OpenSSL. After successfully getting unencrypted backups and restores to work, I moved on to encrypted backups. The OpenSSL application requires input of a passphrase to successfully generate a private key. I am able to generate the keys and then use them to successfully complete an encrypted backup of a “test” directory.

However, I am unable to get Duplicacy to succesfully complete a “restore.” Each time I attempt the restore using the cmd: “duplicacy restore -r 1 -key private.pem,” Duplicacy fails with the error message: “Unsupported private key type ENCRYPTED PRIVATE KEY in private.pem.” I am entering proper Duplicacy storage / openssl passphrases when required by the applications. I’ve not found any similar problem reports and solutions through internet searches. Any suggestions for dealing with this issue would be greatly appreciated.

How did you generate the private key? Duplicacy is expecting the private key file to start with -----BEGIN RSA PRIVATE KEY-----. You should be able to convert your key to this format with openssl.

Thank you, I will check.

GChen - Thank you for your help. I modified the key file header to match at the begin and end with what you listed. Now I get a different error message: “Failed to parse the private key in private.pem: asnl: syntax error: sequence truncated.”

That error means you can’t simply change the file header. The data formats are different. If you tell me how you generated the key file maybe I can figure out what openssl command to convert the key file.

After doing a complete re-compile and install of OpenSSL from source (Windows 10 x64). I used the following commands to create new key files:

Private Key
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key.pem

Public Key
openssl pkey -in private-key.pem -out public-key.pem -pubout

I can’t recall exactly how I ended up with the command format above. Subsequently, I used these for a test backup and restore and ended up with the same error outcome.

After reading your last note, I revisited the Duplicacy announcement on RSA encryption and compared my key generation commands with those in the Duplicacy announcement and found that somewhere in my troubleshooting effort, I had modified the key generation commands. Consequently, I retried the original Duplicacy commands as follows:

openssl genrsa -aes256 -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

And, I’m happy to say that my test backup and subsequent restore worked with these new keys.

Thank you for your help. Your notes and questions guided me to the solution.

Any insight into why the differences in the key generation commands caused the issue?

And, I’m using the following filter.txt file, but it does not appear to be excluding any of the files listed in the filter file (located in the .duplicacy folder). Any insights on why the filters.txt file is not working? All the “excluded” files appear to be getting included in the backup, since I delete them prior to doing the restore. After the restore, they reappear.

Filters.txt file listing:

'# Exclude files and folders that begin with a dot
'# List Specific Files and Folders to Exclude From Backup
'# Back up everything else in this repository (folder up one level)

While the filters file is a text file, you should omit the file extension .txt and just call it filters.


I will make that change. Thank you!


I have the same problem as described by @mpaczan.
Unfortunately I can’t restore my backups with the stored RSA key.
When I do a restore using the web version I get the following message. Same with the CLI Version.

The restore command encountered an error:
Unsupported private key type ENCRYPTED PRIVATE KEY in /home/anym/Downloads/gdrive-private.pem
Exit code: 100

After that I tried to convert the key to a PKCS#8 format.
openssl pkey -in gdrive-private.pem -out gdrive-private-pkcs8.pem -traditional
Here came the following message.

The restore command encountered an error:
Failed to parse the private key in /home/anym/Downloads/gdrive-private-pkcs8.pem: asn1: syntax error: sequence truncated
Exit code: 100

I tried to create a new key with the following commands and to open a new repo with it and to make a restore from it. Unfortunately also without success.

openssl genrsa -aes256 -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

Does anyone have any idea what I am doing wrong?

Sorry I don’t have a solution, but just wanted to throw my hat into the ring since I am getting the same error. I don’t seem to have the “traditional” parameter (using LibreSSL 3.3.6), and apparently that option has been missing since version 3.0. Hoping someone in the forums has an answer for us.

I have found the problem.
It is the generation of the RSA private key.
You have to add the option -traditional to generate the correct private key which will be accepted during restore.

openssl genrsa -aes256 -out private.pem -traditional 2048
openssl rsa -in private.pem --outform PEM -pubout -out public.pem

It would be great if this could still be noted in the instructions for creating the keys.


That page has been updated.

1 Like


Thanks for the solution to the RSA Private key generation issue! My investigation never resulted in identifying the solution. I’ll give Duplicacy another try using the option -traditional for key generation.


1 Like

For those who are interested, here is the explanation of the problem/solution.