Understanding the passwords and encryption keys

I’ve looked around on the forum and found some related things, but nothing that directly answers or confirms my questions; and I want to make sure I understand these as they’re pretty important. Thanks for bearing with me, even if they seem basic:

  1. The Web UI settings page has an “Encryption Password” and “Administration Password”. I set up Duplicacy quite a while ago, and don’t remember; but is the Encryption Password the same as the Master Password described in Duplicacy User Guide?

  2. Is the Master Password also the password that encrypts the storage configuration file as described in password · gilbertchen/duplicacy Wiki · GitHub?

  3. The “config” file in a storage location contains the encryption keys for that storage, and this file itself is encrypted using the Master Password?

  4. Where does Duplicacy store the Master Password on Windows? From what I read, it sounds like it goes into the “keyring” file, but that has a JSON in it with an “encryptionKey” that doesn’t look at all like my Master Password (which I’ve stored in a password manager). That’s making me wonder if that’s something entirely different?

  5. If I ever want to change my Master Password, I can use password · gilbertchen/duplicacy Wiki · GitHub or the similar-looking modal on the Web UI, and everything should just work? Any caveats to be aware of? I wouldn’t want to brick my backups or mess up my settings.

  6. If I ever need to restore on a new computer, and my old computer is gone, would I simply need Duplicacy, the backup, and the Master Password? Anything else? (I know I really should be periodically validating my backups by testing this out, but it is on my very long TODO list)

Yes they are the same.

No, this is the storage password to protect your storage and used by the CLI.

This file is encrypted with the storage password. The encyption keys inside in are generated randomly.

The master password is stored in that JSON, but not in plaintext. Instead, it is encrypted by the Windows Crypto API.

The only thing you need is the storage password (which encrypts the config file on the storage). If you lost your master password you can always start with a fresh installation of the web GUI (assuming you remember your storage password).

Thanks for answering all of my questions. A couple followups:

  1. I apparently didn’t write down my storage password and only have my master password. I do see a password field in the storages section in duplicacy.json so that’s presumably it, but I’m guessing that’s encrypted using my master password. How would I go about decrypting that? Or am I way off here?

  2. If I wanted to change the storage password, there’s isn’t a way to do that from the Web UI, right? I’d have to use password · gilbertchen/duplicacy Wiki · GitHub. I was playing around with that and it seems like the process is this - is this correct?

    1. cd into one of the repository folders (e.g. C:\ProgramData\.duplicacy-web\repositories\localhost\0)
    2. Run the password command (I have multiple storages, so I’d specify -storage)
    3. It’s OneDrive, so I’d give it the token file (which, by the way, seems to require a relative path and not an absolute path)
    4. Enter the old password
    5. Enter the new password (and write it down this time :sweat_smile:)
  3. I have multiple repositories using the same storage, so that command would presumably affect all of those repositories. Is running the command against one of them enough then?

  4. If I were to change the storage password with that command, I’m guessing I’d need to tell the Web UI that the storage password has changed - how do I do that? Maybe the reverse of whatever we do in my first question to encrypt the storage password with the master password and put that into duplicacy.json?

I have a related (I think) question so I’ll post it here, but happy to start a new thread if required.

My password manager has started complaining that my passwords are too weak, so I’d like to strengthen them. The backups in question are generated from linux webservers using the CLI (also sometimes viewed from the web GUI in Windows).

On the face of it, all I have to do is type “duplicacy password” and follow the prompts. But I don’t get any prompts, I get “The new password is the same as the old one”. I can’t find any docs or forum posts that cover this situation.

I tried “duplicacy list -reset-passwords” but it made no difference.

I tried “duplicacy set -e=false” but I get “Failed to download the configuration file from the storage: The storage is likely to have been initialized with a password before”.

I thought I understood how it all worked but this has me stumped. Can someone point me in the right direction please?

Run the web GUI in terminal with the option -print-credentials and the storage password will be printed out when you run a backup or a check:

/path/to/duplicacy_web_executable -print-credentials

That is correct. But you still need to update the storage password in the web GUI. To do that, simply remove the storage and add a new one with the same name – existing backups and schedules won’t be affected. (This should also answer questions 3 and 4).

Try duplicacy -d list to see where the password comes from. I guess it comes from the keyring so you may need to manually clear that password from the keyring.

It worked! Thanks for your help.

So, duplicacy -d list produced a lot of output but I think the crucial lines were:

File chunks are encrypted
Metadata chunks are encrypted
Reading the environment variable DUPLICACY_PASSWORD
Reading password from preferences

After examining the file “preferences” and manually removing the line containing key “password” under “keys” I did indeed get the expected prompts for old and new password.

I had expected this command I entered earlier from Managing Passwords · gilbertchen/duplicacy Wiki · GitHub would have done the trick.

To change passwords that have been stored in the keychain/keyring, use the list command with the -reset-passwords option.

What does that command actually do (if anything)? Why is it necessary at all?

I tried running the web ui executable with -print-credentials and it started up Duplicacy but it didn’t have any of my settings. I run it as a service, so it’s normally storing stuff under C:\ProgramData\.duplicacy-web\ but I noticed that running it directly created a .duplicacy-web in my home folder. I tried copy-pasting the files over (as I’m just trying to do read operations, that seemed okay) - and after entering my master password, it seemed happy. I then tried to run a check and got an error. I also didn’t see any output anywhere with a password: not in the terminal where I started Duplicacy, not in a log file, nowhere. I then tried adding -print-credentials to the service itself, but I either didn’t do that right, or that argument doesn’t actually work.

I then did a search on the forums for -print-credentials to see if I could find any tips. Here, you mentioned using DebugView, which also didn’t seem to have the password. But, on that same thread, I did see a post from another user about looking at the environment in procfs and the password would be one of the env vars (as documented here). Anyway, on Windows, it’s a bit more annoying, but using Process Explorer, I was able to examine the env vars for the duplicacy CLI that the Web UI ran, and found DUPLICACY_ONEDRIVE_PASSWORD!

I was able to try it out with the list command, and it worked! (well, I first got stuck for a while on the fact that ctrl-v does not actually paste in CMD :neutral_face:) So mission accomplished - I now have my storage password!

I also tried out changing the password, including updating the GUI, so that all worked too!

thanks for your help @gchen!