Password management in Windows

Hi,

I just got started with Duplicacy (CLI) and it works beautifully. I have one issue regarding the password management.

My config: Windows install. For safety reason, I have 2 user accounts: one main_user and one duplicacy_user. Only duplicacy_user has access rights to the NAS where the documents backups are. That way, if I were hit by a ransomware from the main_user account, the virus wouldn’t have the credentials to interfere with the backup.

Duplicacy is executed as a scheduled task in the main_user as duplicacy_useruser. When I need to work on my backups, I open a powershell under the main_user account as duplicacy_user. But I realized that when I actually do that, duplicacy asks me to reenter the backup passwords and subsequently, the scheduled task can’t run because the stored password in the keyring has changed.

In other words, accessing the backups from the main_user as the duplicacy_user resets the password under duplicacy_user. I guess this is due to the implementation of the password management under Windows.

Is there a way, besides storing the password unencrypted, to facilitate the password process? Could several passwords be stored in the keyring (I guess the same password but salted differently depending on the accessing account) so duplicacy can try several options before asking the user to input the password?

Not sure I am being clear.

Best,
Chris

The encrypted password is stored in .duplicacy/keyring, so if you make this file writable only by duplicacy_useruser only then when you log in as main_user this file won’t be overwritten.

1 Like

Thanks. I guess this works to protect the passwords in the duplicacy_user account. Or alternatively, one can make keyring read only. That being said, it becomes difficult to work from the main_user account since the differently salted password can’t be stored anymore and needs to be retyped for each command to duplicacy from main_user account.

Maybe it would be possible to implement a solution which, rather than replacing the password entry in the keyring file, adds another entry to it. Duplicacy would then try the passwords in keyring one after the other when needed and only prompt the user if no key is found to work. This would greatly facilitate the life of windows users that use a service account to backup their files with duplicacy and don’t want to store the password in plain text.