LogoLogo
  • Duplicati Documentation
  • Getting Started
    • Installation
    • Set up a backup in the UI
    • Running a backup
    • Restoring files
  • Detailed descriptions
    • Choosing Duplicati Type
    • Using the secret provider
      • Local providers
      • Cloud providers
      • Advanced configurations
    • Using remote management
      • Using remote control with agent
    • Migrating Duplicati to a new machine
    • Scripts
    • Sending reports
      • Monitoring with Duplicati Console
      • Sending reports with email
      • Sending Jabber/XMPP notifications
      • Sending HTTP notifications
      • Sending Telegram notifications
      • Custom message content
    • Duplicati Access Password
    • Import and export backup configurations
    • Filters in Duplicati
    • The local database
    • The server database
    • Preload settings
    • Retention settings
    • Using Duplicati with Linux
    • Using Duplicati from Docker
    • Using Duplicati with MacOS
    • Using Duplicati with Windows
    • Running a self-hosted OAuth Server
  • Using tools
    • Encrypting and decrypting files
    • Using Duplicati from the Command Line
    • Recovering from failure
    • Disaster recovery
  • Backup destinations
    • Destination overview
    • Standard based destinations
      • File Destination
      • S3-compatible Destination
      • FTP Destination
      • SFTP (SSH) Destination
      • WebDAV Destination
      • OpenStack Destination
      • Rclone Destination
      • CIFS (aka SMB) Destination
    • Provider specific destinations
      • Backblaze B2 Destination
      • Box.com Destination
      • Rackspace CloudFiles Destination
      • IDrive e2 Destination
      • Mega.nz Destination
      • Aliyun OSS Destination
      • Tencent COS Destination
      • Jottacloud Destination
      • pCloud Destination
      • Azure Blob Storage Destination
      • Google Cloud Storage Destination
      • Microsoft Group Destination
      • SharePoint Destination
      • SharePoint v2 (Graph API)
      • Amazon S3 destination
    • File synchronization providers
      • Dropbox Destination
      • Google Drive Destination
      • OneDrive Destination
      • OneDrive For Business Destination
    • Decentralized providers
      • Sia Destination
      • Storj Destination
      • TahoeLAFS destination
  • Duplicati Programs
    • TrayIcon
    • Server
    • Command Line Interface CLI
    • Service and WindowsService
    • Command Line Tools
      • AutoUpdater
      • BackendTester
      • BackendTool
      • RecoveryTool
      • SecretTool
      • SharpAESCrypt
      • Snapshots
      • ServerUtil
    • Agent
    • LICENSE
      • Duplicati Inc & Open Source
      • License Agreement
    • OAuth Server
  • SUPPORT
  • Installation details
    • Release channels and versions
      • Upgrading and downgrading
      • Downgrade from 2.1.0.2 to 2.0.8.1
    • Package options
    • Developer
  • TECHNICAL DETAILS
    • Architecture Premises
    • Understanding Backup
      • How Backup Works
      • Encryption Algorithms
      • Backup size parameters
    • Understanding Restore
      • How Restore Works
      • Disaster Recovery
    • Database versions
    • Server authentication model
    • Option formats
Powered by GitBook
On this page
  • The Environment Variable provider
  • The File Secret provider
  • Credential Manager (Windows)
  • Using libsecret (Linux)
  • Using the pass secret provider (Linux)
  • Using the KeyChain (MacOS)

Was this helpful?

Export as PDF
  1. Detailed descriptions
  2. Using the secret provider

Local providers

This page describes the providers that operate locally on the machine they are running

PreviousUsing the secret providerNextCloud providers

Last updated 3 months ago

Was this helpful?

The Environment Variable provider

The simplest provider is the env:// provider, which simply extracts environment variables and replaces those. There is no configuration needed for this provider, and the syntax for adding it is simply:

--secret-provider=env://

The File Secret provider

The file-secret:// provider supports reading secrets from a file containing a JSON encoded dictionary of key/value pairs. As an example, a file could look like:

{
  "key1": "value1",
  "passphrase": "my password"
}

The file provider also supports files encrypted with and you supply the decryption key with the option passphrase. Suppose the file is encrypted with the key mypassword you can then configure the provider:

--secret-provider=file-secret:///home/user/secrets.json.aes?passphrase=my-password

To avoid passing the encryption key via a commandline, see .

Credential Manager (Windows)

On Windows XP and later, the can be used to securely store secrets. As the credentials are protected by the account login, there is no configuration needed, so the setup is simply:

--secret-provider=wincred://

Using libsecret (Linux)

--secret-provider=libsecret://?collection=default

Using the pass secret provider (Linux)

--secret-provider=pass://

Using the KeyChain (MacOS)

--secret-provider=keychain://

For more advanced uses the options account and service can be used to narrow down what secrets can be extracted.

The stores various credentials on Linux and integrates with various UI applications to let the user approve or reject attempts to read secrets. The libsecret provider supports a single optional setting, collection, which indicates what collection to read from. If not supplied the default collection is used. To use the libsecret provider, use this argument:

The is a project that implements a secure password storage solution on Linux system, backed by GPG. Duplicati can use pass as the secret provider:

For MacOS users the standard password storage is the program. The secrets stored here as application passwords can be used by Duplicati. The KeyChain can be enabled as a secret provider with:

libsecret implementation
pass command
KeyChain Access
AESCrypt
Credential Manager
the section on how to inject the secret provider configuration via an environment variable