Separate keys for pruning with Duplicacy Web

Hi - I have backups going from Duplicacy Web into a S3 bucket on Wasabi. I have a limited key which is in Duplicacy Web which does NOT allow for deleting files, for security/anti-ransomware reasons.

I have a separate set of master keys which I rotate often and I want to do one-off prunes (every several months or so). However there does not seem to be a way to swap out my keys in Duplicacy-Web so that I can run the prune.

What is the best practice for setups like mine to achieve occasional pruning without having the ability to swap keys? Do I need a separate Duplicacy instance? Do I need to set up a second storage? Obviously I also want to ensure I don’t corrupt/wipe any of my actual data during this process.


I would run prune from another host, for example, some compute cloud instance, with duplicacy CLI

If you don’t want read/write keys on this machine — you don’t want read write keys in this machine. What’s the point not having them some times and doing all that manual labor swapping credentials?

Better solution would be object lock, but I’m not sure about scope of support of it on wasabi , if you can define default on a bucket, since duplicacy does not handle it.

@saspus - thanks - the plan though is to cycle the keys after pruning so the keys themselves would be of no value after the prune is done. I’m envisioning this as a few-times-a-year process.

I could spin up a separate VM or cloud instance for pruning with the CLI, but do I need to have any of my other backup settings or files accessible to do the prune? Or do I simply connect from Duplicacy CLI to the remote storage, run a prune, and I’m done?

1 Like

Nope. You just init a temporary repository in some empty folder, and then run prune with the desired -keep flags; either on the specific snapshotID or -all.

This is in fact how WebGUI runs prune – it creates a temporary empty repository under .duplicacy_web/repositories

Yep! The “connect” is accomplished with init – duplicacy will see that there is already initialized repository at the target you are trying to init and will simply “adopt” it.

Thanks for the guidance. Just tried it and all is working exactly as expected!