LogoLogo
  • Duplicati Documentation
  • Getting Started
    • Installation
    • Set up a backup in the UI
    • Running a backup
    • Restoring files
  • Detailed descriptions
    • Choosing Duplicati Type
    • Using the secret provider
      • Local providers
      • Cloud providers
      • Advanced configurations
    • Using remote management
      • Using remote control with agent
    • Migrating Duplicati to a new machine
    • Scripts
    • Sending reports
      • Monitoring with Duplicati Console
      • Sending reports with email
      • Sending Jabber/XMPP notifications
      • Sending HTTP notifications
      • Sending Telegram notifications
      • Custom message content
    • Duplicati Access Password
    • Import and export backup configurations
    • Filters in Duplicati
    • The local database
    • The server database
    • Preload settings
    • Retention settings
    • Using Duplicati with Linux
    • Using Duplicati from Docker
    • Using Duplicati with MacOS
    • Using Duplicati with Windows
    • Running a self-hosted OAuth Server
  • Using tools
    • Encrypting and decrypting files
    • Using Duplicati from the Command Line
    • Recovering from failure
    • Disaster recovery
  • Backup destinations
    • Destination overview
    • Standard based destinations
      • File Destination
      • S3-compatible Destination
      • FTP Destination
      • SFTP (SSH) Destination
      • WebDAV Destination
      • OpenStack Destination
      • Rclone Destination
      • CIFS (aka SMB) Destination
    • Provider specific destinations
      • Backblaze B2 Destination
      • Box.com Destination
      • Rackspace CloudFiles Destination
      • IDrive e2 Destination
      • Mega.nz Destination
      • Aliyun OSS Destination
      • Tencent COS Destination
      • Jottacloud Destination
      • pCloud Destination
      • Azure Blob Storage Destination
      • Google Cloud Storage Destination
      • Microsoft Group Destination
      • SharePoint Destination
      • SharePoint v2 (Graph API)
      • Amazon S3 destination
    • File synchronization providers
      • Dropbox Destination
      • Google Drive Destination
      • OneDrive Destination
      • OneDrive For Business Destination
    • Decentralized providers
      • Sia Destination
      • Storj Destination
      • TahoeLAFS destination
  • Duplicati Programs
    • TrayIcon
    • Server
    • Command Line Interface CLI
    • Service and WindowsService
    • Command Line Tools
      • AutoUpdater
      • BackendTester
      • BackendTool
      • RecoveryTool
      • SecretTool
      • SharpAESCrypt
      • Snapshots
      • ServerUtil
    • Agent
    • LICENSE
      • Duplicati Inc & Open Source
      • License Agreement
    • OAuth Server
  • SUPPORT
  • Installation details
    • Release channels and versions
      • Upgrading and downgrading
      • Downgrade from 2.1.0.2 to 2.0.8.1
    • Package options
    • Developer
  • TECHNICAL DETAILS
    • Architecture Premises
    • Understanding Backup
      • How Backup Works
      • Encryption Algorithms
      • Backup size parameters
    • Understanding Restore
      • How Restore Works
      • Disaster Recovery
    • Database versions
    • Server authentication model
    • Option formats
Powered by GitBook
On this page
  • Handling login
  • Working with backups
  • Pausing and resuming the server
  • Changing the Server password
  • Issuing a "forever token"

Was this helpful?

Export as PDF
  1. Duplicati Programs
  2. Command Line Tools

ServerUtil

This page describes the Duplicati ServerUtil helper program

PreviousSnapshotsNextAgent

Last updated 3 months ago

Was this helpful?

The ServerUtil executable is a helper program that can interact with a running Duplicati instance. The main use-case for this program is to allow scripted or programmatic interactions with the server, without resorting to loading the web UI.

The ServerUtil is a replacement for a contributed script that is no longer maintained. Bot approaches works by accessing the Duplicat server API and issuing the same requests as the user interface would otherwise do.

The ServerUtil binaries are called Duplicati.CommandLine.ServerUtil.exe on Windows ana duplicati-server-util on Linux and MacOS.

Handling login

The ServerUtil needs to authenticate with the Server, which requires a connection url and a password. To avoid needing this, the ServerUtil will attempt to read the and obtain information from there. If this succeeds, the ServerUtil will automatically configure an authenticated session with the server, without needing additional input.

If the database is encrypted, write protected, or in some other way inacessible, the caller needs to provide both the url and the password on the commandline.

If the tool is intended to be invoked from a script, it is possible to secure a by calling the login command:

duplicati-server-util login --password=<password> --hosturl=<hosturl>

This will cause the ServerUtil to store a refresh token in the settings file, such that future operations do not need the password (but will still need the hosturl). To safeguard the token, it is possible to provide --settings-encryption-key=<key> that will encrypt the settings file. The can be used to further secure this key, or can be used to provide the password on the commandline.

To revoke the stored refresh token, run the logout command with the host url:

duplicati-server-util logout --hosturl=<hosturl>

Working with backups

To show the backups currently configured, run the list-backups command:

duplicati-server-util list-backups

Each backup configuration has a name and an ID associated with it. All operations that work on one or more backups will accept either the ID or the name the backup has in the server (case insensitive). Using the ID is prefered as that is stable across backup renames, but the name may be more convenient.

Once you know the name or ID of a backup configuration, you can schedule the backup:

duplicati-server-util run <backup id or name>

This will put the backup into the running queue and start the backup as soon as the queue is empty.

With the backup ID or name, it is also possible to export the backup configuration for later use:

duplicati-server-util export <backup id or name> --encryption-passphrase=<passphrase>

You can later import a backup that was previously exported with the command:

duplicati-server-util import <filename> <passphrase>

Note that this will create a new backup with the same configuration, so make sure you have removed the previous backup configuration first.

Pausing and resuming the server

duplicati-server-util pause 5m

This will cause the scheduler to pause and not issue new backups until 5 minutes has passed. If no duration is passed, the server will pause until resumed.

To resume the server, run the following command:

duplicati-server-util resume

Changing the Server password

duplicati-server-util change-password <new password>

Issuing a "forever token"

The "issue-forever-token" command was added to Duplicati beta 2.1.0.3 and canary 2.0.102.

All requests to the Duplicati server needs to be authenticated with a valid token. Usually the token is obtained by providing the password to the server and receiving a token in the response. For some advanced setups, especially when running Duplicati behind an authenticated proxy server. In such a setup, the Duplicati password is an unwanted "double authentication".

In a setup where there is another layer of authentication, it is possible to issue a token that last 10 years, significantly longer than the 15 minutes regular tokens last. To prevent unintended usage of the feature, it requires three steps to configure:

  • Stop Duplicati and start duplicati-server with --webservice-enable-forever-token=true

  • Run the command: duplicati-server-util issue-forever-token

  • Stop Duplicati and start without --webservice-enable-forever-token

The commandline option --webservice-enable-forever-token toggles the ability to issue the token. The API is implemented such that it will only issue a single token pr. server start.

Once the API is enabled, the server-util can call the API and obtain the single token. If something goes wrong, you can restart the Server and try again.

Once the token is obtained, it is important to remove the --webservice-enable-forever-token again, so regular users cannot issue such a token.

With the token in hand, configure the proxy to attach the header to each request:

Authorization: Bearer <token>

With this header present, all requests to Duplicati will be authenticated. If you need to revoke a forever token, start the server once with --webservice-reset-jwt-config which will immediately invalidate any issued token.

This will export the configuration to a local file, encrypted with . If you do not supply a passphrase, the exported configuration will not include the passphrase or storage credentials. Use --export-passwords=true to force export the passwords to a plain-text file.

A common use for the ServerUtil is to pause and resume the server, which can be done to avoid running backups during peak hours. To pause the server, invoke the ServerUtil with a :

As explained in the section on the , it is possible to use the ServerUtil to change the password. In the general case, this can be done with access to the , but in some cases it requires knowing the previous password. Change the password with the command:

Note that this will not revoke access that is already granted, as such . Restart the Server with --webservice-reset-jwt-config=true as explained in the section.

Server
duplicati_client
Server database
refresh token
secret provider
AESCrypt
access password
server database
access lives in refresh and access tokens
duration value
Server