-
Notifications
You must be signed in to change notification settings - Fork 336
Managing Passwords
Duplicacy will attempt to retrieve in three ways the storage password and the storage-specific access tokens/keys.
- If a secret vault service is available, Duplicacy will store passwords/keys entered by the user in such a secret vault and later retrieve them when needed. On Mac OS X it is Keychain, and on Linux it is gnome-keyring. On Windows the passwords/keys are encrypted and decrypted by the Data Protection API, and encrypted passwords/keys are stored in the file .duplicacy/keyring. However, if the -no-save-password option is specified for the storage, then Duplicacy will not save passwords this way.
- If an environment variable for a password is provided, Duplicacy will always take it. The table below shows the name of the environment variable for each kind of password. Note that if the storage is not the default one, the storage name will be included in the name of the environment variable (in uppercase). For example, if your storage name is b2, then the environment variable should be named DUPLICACY_B2_PASSWORD.
- If a matching key and its value are saved to the preference file (.duplicacy/preferences) by the set command, the value will be used as the password. The last column (key in preferences) in the table below lists the name of the preference key for each type of password.
| password type | environment variable (default storage) | environment variable (non-default storage in uppercase) | key in preferences |
|---|---|---|---|
| storage password | DUPLICACY_PASSWORD | DUPLICACY_<STORAGENAME>_PASSWORD | password |
| sftp password | DUPLICACY_SSH_PASSWORD | DUPLICACY_<STORAGENAME>_SSH_PASSWORD | ssh_password |
| sftp key file | DUPLICACY_SSH_KEY_FILE | DUPLICACY_<STORAGENAME>_SSH_KEY_FILE | ssh_key_file |
| sftp key passphrase | DUPLICACY_SSH_PASSPHRASE | DUPLICACY_<STORAGENAME>_SSH_PASSPHRASE | ssh_passphrase |
| Dropbox Token | DUPLICACY_DROPBOX_TOKEN | DUPLICACY_<STORAGENAME>>_DROPBOX_TOKEN | dropbox_token |
| S3 Access ID | DUPLICACY_S3_ID | DUPLICACY_<STORAGENAME>_S3_ID | s3_id |
| S3 Secret Key | DUPLICACY_S3_SECRET | DUPLICACY_<STORAGENAME>_S3_SECRET | s3_secret |
| BackBlaze Account ID | DUPLICACY_B2_ID | DUPLICACY_<STORAGENAME>_B2_ID | b2_id |
| Backblaze Application Key | DUPLICACY_B2_KEY | DUPLICACY_<STORAGENAME>_B2_KEY | b2_key |
| Azure Access Key | DUPLICACY_AZURE_KEY | DUPLICACY_<STORAGENAME>_AZURE_KEY | azure_key |
| Google Drive Token File | DUPLICACY_GCD_TOKEN | DUPLICACY_<STORAGENAME>_GCD_TOKEN | gcd_token |
| Google Cloud Storage Token File | DUPLICACY_GCS_TOKEN | DUPLICACY_<STORAGENAME>_GCS_TOKEN | gcs_token |
| Microsoft OneDrive Personal Token File | DUPLICACY_ONE_TOKEN | DUPLICACY_<STORAGENAME>_ONE_TOKEN | one_token |
| Microsoft OneDrive Business Token File | DUPLICACY_ODB_TOKEN | DUPLICACY_<STORAGENAME>_ODB_TOKEN | odb_token |
| Hubic Token File | DUPLICACY_HUBIC_TOKEN | DUPLICACY_<STORAGENAME>_HUBIC_TOKEN | hubic_token |
| Wasabi Key | DUPLICACY_WASABI_KEY | DUPLICACY_<STORAGENAME>_WASABI_KEY | wasabi_key |
| Wasabi Secret | DUPLICACY_WASABI_SECRET | DUPLICACY_<STORAGENAME>_WASABI_SECRET | wasabi_secret |
| WebDAV password | DUPLICACY_WEBDAV_PASSWORD | DUPLICACY_<STORAGENAME>_WEBDAV_PASSWORD | webdav_password |
| Storj API access key | DUPLICACY_STORJ_KEY | DUPLICACY_<STORAGENAME>_STORJ_KEY | storj_key |
| Storj passphrase | DUPLICACY_STORJ_PASSPHRASE | DUPLICACY_<STORAGENAME>_STORJ_PASSPHRASE | storj_passphrase |
| Samba password | DUPLICACY_SAMBA_PASSPHRASE | DUPLICACY_<STORAGENAME>_SMB_PASSWORD | smb_password |
| RSA key passphrase | DUPLICACY_RSA_PASSPHRASE | DUPLICACY_<STORAGENAME>_RSA_PASSPHRASE | rsa_passphrase |
The passwords stored in the environment variable and the preference need to be in plaintext and thus are insecure and should be avoided whenever possible.
Note that you must use the wasabi environment variables instead of the s3 environment variables if you are using the wasabi storage URL.
The passwords will be stored when the backup command (or any other command apart from init or add) is run for the first time. This means you need to make sure that you do that first run interactively, i.e. not via a script (unless it passes on the password prompts, of course).
Use one of the above environment variables, but lowercase and remove duplicacy_
Example: duplicacy set -key b2_id -value 6fdd6eeeefff
or: duplicacy set -storage mybackupstorage -key b2_id -value 6fdd6eeeefff
or: duplicacy set -key b2_id -value "passphrase with spaces"
For token file of some providers (OneDrive etc), the -value should be the path of the token file Example: duplicacy set -key one_token -value .duplicacy/onedrive_token.json
To change passwords that have been stored in the keychain/keyring, use the list command with the -reset-passwords option.