LogoLogo
  • Duplicati Documentation
  • Getting Started
    • Installation
    • Set up a backup in the UI
    • Running a backup
    • Restoring files
  • Detailed descriptions
    • Choosing Duplicati Type
    • Using the secret provider
      • Local providers
      • Cloud providers
      • Advanced configurations
    • Using remote management
      • Using remote control with agent
    • Migrating Duplicati to a new machine
    • Scripts
    • Sending reports
      • Monitoring with Duplicati Console
      • Sending reports with email
      • Sending Jabber/XMPP notifications
      • Sending HTTP notifications
      • Sending Telegram notifications
      • Custom message content
    • Duplicati Access Password
    • Import and export backup configurations
    • Filters in Duplicati
    • The local database
    • The server database
    • Preload settings
    • Retention settings
    • Using Duplicati with Linux
    • Using Duplicati from Docker
    • Using Duplicati with MacOS
    • Using Duplicati with Windows
    • Running a self-hosted OAuth Server
  • Using tools
    • Encrypting and decrypting files
    • Using Duplicati from the Command Line
    • Recovering from failure
    • Disaster recovery
  • Backup destinations
    • Destination overview
    • Standard based destinations
      • File Destination
      • S3-compatible Destination
      • FTP Destination
      • SFTP (SSH) Destination
      • WebDAV Destination
      • OpenStack Destination
      • Rclone Destination
      • CIFS (aka SMB) Destination
    • Provider specific destinations
      • Backblaze B2 Destination
      • Box.com Destination
      • Rackspace CloudFiles Destination
      • IDrive e2 Destination
      • Mega.nz Destination
      • Aliyun OSS Destination
      • Tencent COS Destination
      • Jottacloud Destination
      • pCloud Destination
      • Azure Blob Storage Destination
      • Google Cloud Storage Destination
      • Microsoft Group Destination
      • SharePoint Destination
      • SharePoint v2 (Graph API)
      • Amazon S3 destination
    • File synchronization providers
      • Dropbox Destination
      • Google Drive Destination
      • OneDrive Destination
      • OneDrive For Business Destination
    • Decentralized providers
      • Sia Destination
      • Storj Destination
      • TahoeLAFS destination
  • Duplicati Programs
    • TrayIcon
    • Server
    • Command Line Interface CLI
    • Service and WindowsService
    • Command Line Tools
      • AutoUpdater
      • BackendTester
      • BackendTool
      • RecoveryTool
      • SecretTool
      • SharpAESCrypt
      • Snapshots
      • ServerUtil
    • Agent
    • LICENSE
      • Duplicati Inc & Open Source
      • License Agreement
    • OAuth Server
  • SUPPORT
  • Installation details
    • Release channels and versions
      • Upgrading and downgrading
      • Downgrade from 2.1.0.2 to 2.0.8.1
    • Package options
    • Developer
  • TECHNICAL DETAILS
    • Architecture Premises
    • Understanding Backup
      • How Backup Works
      • Encryption Algorithms
      • Backup size parameters
    • Understanding Restore
      • How Restore Works
      • Disaster Recovery
    • Database versions
    • Server authentication model
    • Option formats
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Duplicati Programs
  2. Command Line Tools

SharpAESCrypt

This page describes the SharpAESCrypt commandline encryption tool

PreviousSecretToolNextSnapshots

Last updated 5 months ago

Was this helpful?

The SharpAESCrypt commandline tool uses the provided AES encryption library but exposes it as a commandline tool.

The SharpAESCryp tool is called Duplicati.CommandLine.SharpAESCrypt.exe on Windows and duplicati-aescrypt on Linux and MacOS. The library and commandline tool implements the , so the commandline tool is compatible with any other tool using the .

To encrypt a file, use the syntax:

duplicati-aescrypt e <password> <plain-text file> <encrypted file>

And similarly to decrypt a file:

duplicati-aescrypt d <password> <encrypted file> <plain-text file>

For decryption, it is possible to use the "optimistic mode", which will leave the decrypted file on disk, even if it does not pass the validation. This is insecure, because the file contents can be modified if the integrity checks fail, but in some cases it can help to recover lost data:

duplicati-aescrypt do <password> <encrypted file> <plain-text file>

If you are encrypting files with a different tool, note that SharpAESCrypt adds an additional check, similar to , which is not part of the AESCrypt specification. This does not change the file format, but makes it harder to inject trailing bytes. However, since other tools do not follow this standard, the decryption will reject such (otherwise valid) files. To decrypt such files, enable the compatibility mode:

duplicati-aescrypt dc <password> <encrypted file> <plain-text file>

To enable the compatibility check for regular Duplicati operations, add the environment variable:

AES_IGNORE_PADDING_BYTES=1
AESCrypt file format
AESCrypt file format
PCKS#7 padding