Is there a CLI option to re-encrypt the whole storage with the new password in case of paranoia or plausible valid reason? I understand this would mean re-transmitting the whole backup archive, but also maybe downloading the whole backup archive that can be costly with some backends.
Or is the solution to start a new backup with the new key and delete the old archive after finishing?
From my limited understand of encryption in Duplicacy, the master password simply decrypts the config file on the storage, and can certainly be changed.
The hash/chunk encryption keys (there’s four of them) stored within that config file can’t be changed and there isn’t a CLI option to re-encrypt. Those keys are pretty strong though, and randomly generated.
I can see why someone might need to re-encrypt the whole shebang - say if the initial master password was weak - someone with an old copy of the config file might be able to brute force the config and then unlock the data. But if they’ve got your weakly-encrypted config file, they’ll also potentially have copies of the chunks and can crack them at leisure, regardless of if or when you re-upload. 
Just choose a good master password; long, completely random with symbols and store it in a password manager. If the previous password was weak and your storage resides in a cloud drive, purge old versions of the ‘config’ file after changing the password.
Hah!
Explained better than I could.