Based on the information at Password command details
it looks like I can rotate the password that was passed for the -e option without having to re-upload all the chunks to, say, the S3 storage:
cat .duplicacy/preferences | jq -r ". | .name" | while read storage_name; do duplicacy -storage "$storage_name" password done
My worry is that someone who has already had access to the
config file clear-text (because they had access to the
config file password prior to rotation) will continue to be able to decrypt the chunks after I’ve rotated the password.
Is my fear founded?
And if so, is the recommended way to backup with -e and a new snapshot id to ensure all the chunks use a new randomly generated encryption key?