SFTP: need help with a secure strategy to do non-interactive backups

I am planing my next video about duplicacy on youtube.
I want to show a secure authentication method for an offsite (cloud) storage.
I guess sftp key exchange would do a good job here.
Nevertheless I have some questions:

  1. I couldn’t find an option to overhand the private key password to duplicacy. Is my assumption correct that I have to leave the private key file unencrypted to make a non interactive backup possible?
  2. Which parameters for ssh-keygen guarantee “state of the art” security?
  3. Should the generated key pair used exclusively for duplicacy?
  4. Where is a good place to store the ssh certificate?
  5. Why is it safer to use certificates instead of password authentication?
  6. Any other ideas which would make the backup procedure secure?

The private key file can be encrypted. You can store the passphrase in the environment variable DUPLICACY_SSH_PASSPHRASE or DUPLICACY_<STORAGENAME>_SSH_PASSPHRASE for non-default storages. (sorry it was missing from the user guide which I just updated).

There happened to be a blog article on Hacker News a few days ago: Comparing SSH Encryption Algorithms - RSA, DSA, ECDSA, or EdDSA? (TLDR: RSA 2048⁄4096 or Ed25519)

Maybe that is a good idea.

Any place not synced/backed up to a cloud drive?


Does it mean Duplicacy supports authentication by ssh certificates (as opposed to just passwords and keys)? never mind, it does:

The rsa method confuses me. I need a separate encryption Password and additional the rsa key? I am running duplicacy on an arm device. How is the performance impact?