Rotating the password for a storage not enough if `config` was leaked in the past?

Based on the information at Password command details

it looks like I can rotate the password that was passed for the -e option without having to re-upload all the chunks to, say, the S3 storage:

cat .duplicacy/preferences |
  jq -r ".[] | .name" |
    while read storage_name; do
      duplicacy -storage "$storage_name" password

My worry is that someone who has already had access to the config file clear-text (because they had access to the config file password prior to rotation) will continue to be able to decrypt the chunks after I’ve rotated the password.

Is my fear founded?

And if so, is the recommended way to backup with -e and a new snapshot id to ensure all the chunks use a new randomly generated encryption key?


If the Duplicacy config leaks and someone who acquires it has access to the repository config before it was re-encrypted, they’d be able to modify Duplicacy, force it to use that configuration and decrypt your chunks.

The practical mitigation against remote attacks against the repository storage is to revoke any access keys valid at the time the Duplicacy config was disclosed. That will prevent decryption by denying access to the encrypted chunks in the first place.

The only mitigation against a physical attack would be to copy the snapshots on the old repository to a newly-initialized one on a new device and then physically destroy the old one. It’s worth pointing out that if an attacker has sufficient resources to gain physical access to your repository, they can probably also gain physical or remote access to one of the machines you’re backing and could use the new, valid credentials.

1 Like

Right, it is useless to create a new storage password if the old one has been breached. New chunks created after the password change will still be encrypted with keys derived from the old plain-text config.

If this scenario concerns you should enable RSA encryption: New feature: RSA encryption


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.