So this seems like a pretty severe security weakness… that in order to use sftp with public key authentication, you have to have a private key file laying around on your file system, that is not password protected.
Yes you could use ssh agent forwarding, but on Windows at least, I dunno how well that works with Pageant if running Duplicacy as a service.
But is the above quote still valid? A cursory look at the source indicates the key file is unlocked with ParsePrivateKey(). However, there now(?) seems to be a corresponding function ParsePrivateKeyWithPassphrase(). Is this enough to get our keys secured a bit better?