Over on the dupliacti forum they are discussing how to duplicati’s security:
I’d like to point out one comment by the duplicati developer in particular:
After thinking about this for a while, I see that we need to consider the attacker scenario.
- User exposes password (like password re-use, etc)
- Machine/network is breached
- Destructive malware/ransomware
If we use the keyfile approach, as duplicacy, we can only really cover (1).
If the machine is breached, they can easily recover the real passphrase, and changing the keyfile passphrase is no going to prevent anything.
Malware/ransomware can effectively kill the keyfile and make backups useless.
What does this mean for duplicacy? How secure is it? Or rather: what are duplicacy’s current vulnerabilities?