RSA Encryption, Empty Passphrase, Credential Storage, and the -background flag


I am using the duplicacy CLI. I have several repositories all backing up to the same storages, using distinct (across repositories) but consistent (across storages) snapshot IDs. All the storages are bit-identical, using the same RSA key for encryption. The corresponding RSA private key uses an empty password. Previously, I had been backing up to each repository individually, but I’m trying to move to a flow where I backup to a local storage and then duplicacy copy it to all my remotes.

When I duplicacy copy, I am prompted for the password for this key. Even though it’s empty, I understand that there’s no good way to know that beforehand. However, this is tiresome (and prevents me from scripting), so I want to prevent this prompt. As documented in Passwords, credentials and environment variables, I tried setting the rsa_passphrase in the preferences. When I tried that, the following happened:

$ duplicacy set -storage $storage -key rsa_passphrase -value ""
The options for storage <STORAGE> have not been modified

OK, so I tried instead setting the DUPLICACY_<STORAGENAME>_RSA_PASSPHRASE environment variable to the empty string (I substituted <STORAGENAME> the actual name of the storage; I tried both lowercase and uppercase). That did not prevent the prompting for the passphrase. Manually editing the preferences file to insert "rsa_passphrase": "", to the keys also did not prevent the prompt. Finally, I tried adding the -background flag to my command line, against the advice of Global options details, which did finally succeed in suppressing the prompt.

Is the -background flag the right way to go about this? I’m concerned it’s documented as forbidden for usage by the CLI, but it does solve my problem. Since the repositories are all bit-identical, I could use rclone to copy the chunks/ directory around, but I got the impression from the “Back up to multiple storages” How-to (can’t hyperlink because I’m a new user) that a call to duplicacy copy was still important.


Addendum: the -background option does not actually solve my problem. Passing -background does suppress the prompt for the encryption passphrase, but it also prevents duplicacy from reading the SSH key off of disk to access my SFTP backends. This is perplexing behavior to me.

Can you re-encrypt the private key with a password: public key infrastructure - Can I add a password to an existing private key? - Information Security Stack Exchange?

Setting a passphrase on my RSA key has solved my problem. I can now set the passphrase in the preferences, which suppresses the password prompt. I am still a little perplexed why the empty passphrase is treated specially, but at least the immediate problem is solved.

Thank you!