Password management in WebUI

I read the guides but I’m still confused about how to change passwords, how they are stored, and what to do if I don’t want passwords stored on the computer. Could someone please help explain to me?

On Duplicacy Web:

I see in .duplicacy-web\duplicacy.json file in the “credentials” block, values for the storage password (to encrypt the remote config file) and the remote storage login password (e.g. webdav_password).

When I change the master password, or run a backup in Web, these values change in the duplicacy.json file.

  • Are these the passwords?
  • They’re encrypted with the master password?
  • What can I do if I don’t want these to be saved when using Web?
  • When I delete the “credentials” block from the duplicacy.json file while Web is running, I can still run a backup, and the “credentials” are rewritten to the file, but with different values than before. Does this mean the passwords are saved in memory while Web is running?
  • But if I delete the “credentials” block when Web is not running, they will not reappear, and I can no longer login to the remote storage. How can I reinsert them again?
  • How do I change the storage password and webdav_password in Duplicacy Web (similar to previous question)?
  • I did not select to save the master password to keyring, so it’s not saved on the computer?
  • Can I stop the “save to keyring” from being automatically checked when I login to Web?

I also see .duplicacy-web\keyring and inside is “encryptionkey”.

  • What is this used for?

On Duplicacy CLI

I see .duplicacy-web\repositories\localhost\0\.duplicacy\keyring where the storage password and webdav_password are listed. They were saved there when I ran a backup in CLI.

  • These are encrypted by the specific Windows account?
  • But anyone logged into the Windows account has access to the remote storage?

I see that when I delete the keyring file, in CLI, I am prompted for the passwords, and a new keyring file appears. But then I can run duplicacy set -no-save-password=true, which updates in .duplicacy-web\repositories\localhost\0\.duplicacy\preference, and I am prompted for passwords on every backup run in CLI. But if I run a backup on Web, the preference no_save_password=false is updated, and I have to set it again to true.

  • Is there a way to stop Web from changing no_save_password every time?

The instruction was confusing for changing the remote storage login password (e.g. webdav_ password) in the keyring file with the duplicacy list -reset-passwords command.

I eventually figured out that when it asks for Enter the WebDAV password:, you enter the new login password, and when it asks for Enter storage password:, you don’t change this password and use the old/current one.

  • I could also simply delete the entry from the keyring file and then I will be prompted again for it.
  • I was able to successfully change the storage password with duplicacy -password command.

Secure the C:\Users\username\.duplicacy-web folder

  • Can I move the .duplicacy-web folder (I guess it would be .duplicacy if only using the CLI, or something else?), to an encrypted container, and then create symlink in C:\Users\username\ with the same folder name and path to the new location in the encrypted container?

EDIT:
Moving the folder to an encrypted container and then making a directory symbolic link seems to work, even when Windows 10 system environmental variables path for the duplicacy.exe is inside the target folder of the symlink.
C:\Users\username>mklink /d .duplicacy-web E:\duplicacy-secure\.duplicacy-web

Sorry for so many questions, and thanks for the help.

I moved this to a new topic because the original thread discussing password handling in the environment for CLI.

Web UI stores credentials needed to access storage encrypted in the duplicacy.json file. The encryption key is derived among other things from the app password you have set when starting duplicacy-web the first time. If you don’t want to store them on your machine – don’t let your browser remember that password.

Yes, encrypted using your application password.

Yes

Why do you not want them to be saved? How esle can duplicacy access storage if it does not have access to credentials to do so?

Yes, that file is read on application start, and kept in memory, as far as I understand.
There is however bigger issue: duplicacy-web passes passwords to storage to duplicacy CLI plaintext in the environment. If you have permissions to see process environment – you can read those passwords.

Delete the storage and add it back with the same name.

Delete storage and add it again, with the same name.

Yep.

I’ll get back to the rest of the questions shortly.

1 Like

Yes:

Yes. If your account is compromised – it’s a game over. The solution is various target storage immutability measures: such as one set of keys that only allow to back up but not modify or prune, and a separate, protected set of keys to manage buckets.

No, the configuration files for duplicacy CLI are created on every run by Duplicacy Web.

Yes, define HOME environment variable to point to a location where it should think the home is, and it will create .duplciacy_web under it. No need to symlink anything. (at least this is the case on linux and macos – should also be the case on windows). I would also recommend changing location for logs and transient data to the appropriate places under %APPDATA%/Local

1 Like

Thanks for the detailed answers.

  • So there is no way to not save credentials in Duplicacy Web, other than to delete them and having to recreate the storage every time?

Duplicacy Web

I prefer prompts to manually enter the credentials from password managers, instead of storing them with open access to the logged in Windows user, to protect the Duplicacy backup from access or corruption. Just like if you use -no-save-password in the CLI, you enter it manually. I understand that automatic scheduling would need to store credentials, but it’s not a problem for me to perform manual runs.

I am sometimes travelling and need to leave the laptop with someone else for safekeeping, or leave it powered on while I go somewhere else. I’ve also heard from other people about having to hand over devices and passwords to border agents to login and inspect, and they may take an image of the contents. They may demand to unlock encrypted containers. They may ask you to restore a Duplicacy backup so that they can look through it or make an unencrypted copy.

I store credentials in encrypted password managers and containers. In the event of border crossing, I was thinking it would be best to store the containers and Duplicacy backup in the cloud and delete them from the laptop, then when on the other side download them again.

  • How is this keyring file related to the credentials block in the duplicacy.json file if they’re already encrypted by the master password?
  • They definitely cannot be decrypted without the master (I’m doubtful because of the presence of the keyring file)?
  • There is also the field “encryption_data” in the duplicacy.json file.
  • The credentials block values are frequently changing. Is this some kind of random hash generation on each access?

Secure the C:\Users\username\.duplicacy-web folder

I’m not familiar with how to use environment variables in Windows 10 except for running exe without needing the path. I only know how to link 2 directories with symlinks.

Duplicacy Web program is located in C:\Users\username\AppData\Local\DuplicacyWebEdition and I’m assuming that it’s looking in C:\Users\username\.duplicacy-web for the bin, json, and keyring files, which are the things that I want to protect from the logged in Windows user, whether by encryption or simply by not saving the credentials.

I know that you can change the location of the repositories and logs in settings.json or in the settings tab of Web, but that doesn’t include the location of the duplicacy.json and keyring files which are in the root of .duplicacy-web.