Passwords, credentials and environment variables

Duplicacy will attempt to retrieve in three ways the storage password and the storage-specific access tokens/keys.

  • If a secret vault service is available, Duplicacy will store passwords/keys entered by the user in such a secret vault and later retrieve them when needed. On Mac OS X it is Keychain, and on Linux it is gnome-keyring. On Windows the passwords/keys are encrypted and decrypted by the Data Protection API, and encrypted passwords/keys are stored in the file .duplicacy/keyring. However, if the -no-save-password option is specified for the storage, then Duplicacy will not save passwords this way.
  • If an environment variable for a password is provided, Duplicacy will always take it. The table below shows the name of the environment variable for each kind of password. Note that if the storage is not the default one, the storage name will be included in the name of the environment variable (in uppercase). For example, if your storage name is b2, then the environment variable should be named DUPLICACY_B2_PASSWORD.
  • If a matching key and its value are saved to the preference file (.duplicacy/preferences) by the set command, the value will be used as the password. The last column (key in preferences) in the table below (use the bottom bar to scroll the table to the right) lists the name of the preference key for each type of password.

:arrow_down: This table could be wider than it looks. Please scroll sideways to see all its :four: columns! :arrow_down:


password type environment variable (default storage) environment variable (non-default storage in uppercase) key in preferences
storage password DUPLICACY_PASSWORD DUPLICACY_<STORAGENAME>_PASSWORD password
sftp password DUPLICACY_SSH_PASSWORD DUPLICACY_<STORAGENAME>_SSH_PASSWORD ssh_password
sftp key file DUPLICACY_SSH_KEY_FILE DUPLICACY_<STORAGENAME>_SSH_KEY_FILE ssh_key_file
sftp key passphrase DUPLICACY_SSH_PASSPHRASE DUPLICACY_<STORAGENAME>_SSH_PASSPHRASE ssh_passphrase
Dropbox Token DUPLICACY_DROPBOX_TOKEN DUPLICACY_<STORAGENAME>_DROPBOX_TOKEN dropbox_token
S3 Access ID DUPLICACY_S3_ID DUPLICACY_<STORAGENAME>_S3_ID s3_id
S3 Secret Key DUPLICACY_S3_SECRET DUPLICACY_<STORAGENAME>_S3_SECRET s3_secret
BackBlaze Account ID DUPLICACY_B2_ID DUPLICACY_<STORAGENAME>_B2_ID b2_id
Backblaze Application Key DUPLICACY_B2_KEY DUPLICACY_<STORAGENAME>_B2_KEY b2_key
Azure Access Key DUPLICACY_AZURE_KEY DUPLICACY_<STORAGENAME>_AZURE_KEY azure_key
Google Drive Token File DUPLICACY_GCD_TOKEN DUPLICACY_<STORAGENAME>_GCD_TOKEN gcd_token
Google Cloud Storage Token File DUPLICACY_GCS_TOKEN DUPLICACY_<STORAGENAME>_GCS_TOKEN gcs_token
Microsoft OneDrive Token File DUPLICACY_ONE_TOKEN DUPLICACY_<STORAGENAME>_ONE_TOKEN one_token
Microsoft OneDrive Business Token File DUPLICACY_ODB_TOKEN DUPLICACY_<STORAGENAME>_ODB_TOKEN odb_token
Hubic Token File DUPLICACY_HUBIC_TOKEN DUPLICACY_<STORAGENAME>_HUBIC_TOKEN hubic_token
Wasabi Key DUPLICACY_WASABI_KEY DUPLICACY_<STORAGENAME>_WASABI_KEY wasabi_key
Wasabi Secret DUPLICACY_WASABI_SECRET DUPLICACY_<STORAGENAME>_WASABI_SECRET wasabi_secret
webdav password DUPLICACY_WEBDAV_PASSWORD DUPLICACY_<STORAGENAME>_WEBDAV_PASSWORD webdav_password
RSA key passphrase DUPLICACY_RSA_PASSPHRASE DUPLICACY_<STORAGENAME>_RSA_PASSPHRASE rsa_passphrase

:arrow_up: This table could be wider than it looks. Please scroll sideways to see all its :four: columns! :arrow_up:

:bulb: Note that the passwords stored in the environment variable and the preference need to be in plaintext and thus are insecure and should be avoided whenever possible.

:bulb: Note that you must use the wasabi environment variables instead of the s3 environment variables if you are using the wasabi storage URL.

:bulb: The passwords will be stored when the backup command (or any other command apart from init or add) is run for the first time. This means you need to make sure that you do that first run interactively, i.e. not via a script (unless it passes on the password prompts, of course).

Saving credentials to Duplicacy config file

Use one of the above environment variables, but lowercase and remove duplicacy_

Example: duplicacy set -key b2_id -value 6fdd6eeeefff

or: duplicacy set -storage mybackupstorage -key b2_id -value 6fdd6eeeefff

or: duplicacy set -key b2_id -value “passphrase with spaces”

Changing passwords

To change passwords that have been stored in the keychain/keyring, use the list command with the -reset-passwords option.

3 Likes

But how shall I store the passwords to a keyring (on Windows)?

The file containing passwords is called keyring and is located in the folder .duplicacy in each of your repositories.

Is this what you mean, as i don’t quite understand the question :woozy_face:

I am asking how to get passwords etc stored there? I initialized a repository and storage, but the encryption password was not put on that file.

Answering to myself. duplicacy saves automatically the information (passwords, one_token, B2 keys, etc) to the keyring when you run backup for the first time and enter the information manually.

3 Likes

Wanted to clarify that the env var needs to be set with export, otherwise it won’t be read by duplicacy.

DUPLICACY_GCD_TOKEN='bla' = bad
export DUPLICACY_GCD_TOKEN='bla' = good

1 Like

Thanks! :+1: The OP is a wiki, feel free to edit it. :smile:

is this for windows, linux, mac, all ?

@gchen
no environment variable for RSA private key file path?

No, the RSA private key file is passed by the -key option.

not planned as an improvement? :innocent:
ENV var + preference key for RSA private key path

I noticed an egg, for “duplicacy copy -h

-key <public key> the RSA private key to decrypt file chunks from the source storage

Does Duplicacy use the storage password to encrypt credentials in the .duplicacy/keyring file? If it doesn’t then are there any other ways to protect the keyring file with strong password?

The storage password itself is stored in the .duplicacy/keyring file so no, it is not used to encrypt .duplicacy/keyring.

The .duplicacy/keyring file is encrypted by the Windows Crypto API (CryptProtectData function (dpapi.h) - Win32 apps | Microsoft Docs).

Maybe it’s possible to implement something like DUPLICACY_KEYRING_PASSWORD? I’m not sure if DPAPI is reliable enough to trust it with credentials for cloud storages. A strong master-password protection would be preferable.

I noticed the table above does not include the environment variable for the OneDrive for Business (not OneDrive) token. I believe the correct variable is: DUPLICACY_ODB_TOKEN. For storage, it is DUPLICACY_STORAGENAME_ODB_TOKEN. Thought I’d post this since it took me a little while to figure it out!

Great backup app. Thanks for all of your work on it.

2 Likes

Thanks for pinging us, OP is updated!

@TheBestPessimist
RSA key passphrase DUPLICACY_RSA_PASSPHRASE DUPLICACY__RSA_PASSPHRASE rsa_passphrase

this line is missing in your start post
I added the sftp keyphrase here:

I added it to the table. Could you please check that what i added is correct?

1 Like

Personally I don’t like the idea of storing Google Drive token as a plain text file. Is there any way to store it safely?

A post was split to a new topic: Password management in WebUI

@TheBestPessimist Can/should I use a different storage password for each storage added to a repository? I am trying to back up with SFTP (local) and B2 (cloud) with -copy and --bit-identical.