Is this possible to have web-ui, no administration password and B2 storage credentials in plaintext?

Hello,

Even with a complete re-installation, I can’t have the web-ui without a password cause it ask one to encrypt/decrypt passwords. Even if there is nothing configured.
I really don’t get it, I don’t get the logic behind all that.

I don’t care about those credentials, I consider that if an attacker have access to this files, he has access to all the data that I’m trying to backup. So why bother?
Even if you have perfect reason to do so, because your configuration requires it, etc. I want use duplicacy without it, like I used the cli version, is it possible ?

Thank you

Hmm. The Encryption Password for the Web Edition is merely to encrypt the configuration that holds the credentials for your storage - it’s not to protect the files you’re wanting to backup.

You’re right that with complete access to your PC, an attacker could potentially decrypt the keyring and ultimately get access to those storage credentials.

However, that’s with complete access (not always the case) and they’d need to find and reverse engineer the configuration to get the raw credentials, by which time hopefully you’ve bought yourself a little time to revoke B2 tokens etc… (Plus, you can opt not to store that password in the keyring, then an attacker would need to install a keylogger before you input it each use.)

A few things have to go right for an attacker to gain access to your backup storage in good time to do anything with it, so while they may have access to your files, it’s important they eventually don’t get access to your backups so they can hold it to ransom by re-encrypting it (or simply changing the master password)!

Furthermore, this password isn’t crucial to gain access to your backup. If you forget it, no biggie. Just reinstall / delete configuration and setup the storage again. The only password you need to keep safe is the storage password (and ofc access to your B2 account). Thus if you’re not particularly fussed, just choose a simple Encryption Password for the Web UI - like “none” - effectively the same as not having one. :slight_smile:

2 Likes

Thank you for all those topics to think about.

Maybe I need to be more specific about the Why I want a backup without decrypt : exactly like when I turn on the computer to access some network share, I, sometimes, turn it on to backup BUT I will not login and I will not open any keyring. That’s why I configured duplicacy as a service. That’s why I need a configuration without auth in local.

Maybe I’m misunderstanding, but why does it matter that your configuration should be stripped of any encryption? Does Duplicacy still run as a service, with a simple password?

@uisang you can set the environment variable DWE_PASSWORD to the encryption password before running the web GUI. It will take the password from it instead of asking you to enter one the first time you access the web page.

No, it doesn’t. All the schedules failed.

If you can access the web pages, then it means the encryption password is correct. Schedule failing is a different problem. If you look into the log files (by clicking the labels on the Activities graph), you can find out what the problem is. If it is due to incorrect storage credentials, then you’ll need to remove storages and adding them using the same storage names as I said in the other post.

Nope.

$ rm -fr ~/.duplicacy_web
$ cat /etc/environment 
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
DWE_PASSWORD="adminadmin"
Reboot

and “Duplicacy will store all passwords/credentials in an encrypted form in the configuration file. Please blah blah blah” :pensive:

I tried to the password, reboot, “give me password”.

It looks like you removed the ~/.duplicacy_web/duplicacy.json file. When the web GUI is restarted, it will attempt to create a new one and ask you for a new encryption password. You just need to pick a new encryption password and set DWE_PASSWORD accordingly.

Nope again…

$ echo $DWE_PASSWORD
adminadmin

and the web ui still asking the password…
If I put adminadmin, I log inside…

Please make sure that DWE_PASSWORD is set before starting the web GUI.

Which password did it ask for, the encryption password or the administration password?

I remove it from /etc/environment and create a .sh with export and the load of web version. It works now. The password is no longer asked. Now I will follow for few days if schedules runs correctly…

Everything seems fine now.
Thank you!

For anyone: Feel free to use the :heart: button on the posts that you found useful.

For the OP of any #support topic: you can mark the post that solved your issue by ticking the :checked: under the post. That of course may include your own post :slight_smile: