> For the complete documentation index, see [llms.txt](https://docs.duplicati.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.duplicati.com/security-and-secrets/using-the-secret-provider/local-providers.md).

# Local providers

## The Environment Variable provider

The simplest provider is the `env://` provider, which simply extracts environment variables and replaces those. There is no configuration needed for this provider, and the syntax for adding it is simply:

```
--secret-provider=env://
```

## The File Secret provider

The `file-secret://` provider supports reading secrets from a file containing a JSON encoded dictionary of key/value pairs. As an example, a file could look like:

```json
{
  "key1": "value1",
  "passphrase": "my password"
}
```

The file provider also supports files encrypted with [AESCrypt](/using-tools/encrypting-and-decrypting-files.md) and you supply the decryption key with the option `passphrase`. Suppose the file is encrypted with the key `mypassword` you can then configure the provider:

```
--secret-provider=file-secret:///home/user/secrets.json.aes?passphrase=my-password
```

To avoid passing the encryption key via a commandline, see [the section on how to inject the secret provider configuration via an environment variable](/security-and-secrets/using-the-secret-provider/advanced-configurations.md#how-to-avoid-passing-credentials-on-the-commandline).

To encrypt the file, you can use the [AESCrypt tool](/duplicati-programs/command-line-interface-cli-1/sharpaescrypt.md) provided with Duplicati:

```
Duplicati.CommandLine.SharpAESCrypt.exe e my-password source.json destination.json.aes
```

## Credential Manager (Windows)

On Windows XP and later, the [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) can be used to securely store secrets. As the credentials are protected by the account login, there is no configuration needed, so the setup is simply:

```
--secret-provider=wincred://
```

The Windows Credential Manager can be accessed from the Control Panel and looks like this:

<figure><img src="/files/zDgpqwsvUQDPqO6ONvdI" alt=""><figcaption></figcaption></figure>

The secrets created from Duplicati will show up as "Generic Credentials" but Duplicati can also read the Windows Credentials. You can click "Add a generic credential" to create a new secret that can be used by Duplicati.

## Using `libsecret` (Linux)

The[ `libsecret` implementation](https://gnome.pages.gitlab.gnome.org/libsecret/) stores various credentials on Linux and integrates with various UI applications to let the user approve or reject attempts to read secrets. The `libsecret` provider supports a single optional setting, `collection`, which indicates what collection to read from. If not supplied the default collection is used. The default collection is usually `login` on Gnome-based systems and `kdewallet` on KDE-based systems, and will typically be unlocked when the user logs in.

To use the `libsecret` provider, use this argument:

```
--secret-provider=libsecret://
```

If you are using a system with a Gnome-based desktop, such as Ubuntu, you can use the [Seahorse](https://wiki.gnome.org/Apps/Seahorse) application to manage your passwords. On KDE-based desktops you can use [KeepSecret](https://apps.kde.org/keepsecret/) or [KWalletManager](https://apps.kde.org/kwalletmanager5/).

On KDE, make sure you have enabled the "KDE Wallet Subsystem" and also checked the option to "Use KWallet for the Secret Service interface":

<figure><img src="/files/aVS5cTd16QpHgYktyxGo" alt=""><figcaption></figcaption></figure>

### Seahorse

In Seahorse the passwords are shown in the wallet in a list and are not grouped:

<figure><img src="/files/SPMPzR3VhU329OeELBNj" alt=""><figcaption></figcaption></figure>

You can add new secrets and they can be used by Duplicati.

### KeepSecret

With KeepSecret the passwords created from Duplicati are grouped under "Duplicati Secrets":

<figure><img src="/files/oRrWu7fdJ85z7cH3A3sw" alt=""><figcaption></figcaption></figure>

You can add new secrets and they can be read by Duplicati even if they are not under the "Duplicati Secrets" group.

### KWalletManager

In KWalletManager the secrets are shown in a tree-structure, and for Plasma 6 they show up under "Duplicati Secrets":

<figure><img src="/files/2ZRQVEziYk8RSAvx0jWp" alt=""><figcaption></figcaption></figure>

The UI does not always update when dealing with multiple secrets, so you may need to close and open the wallet for the display to show correctly. You can add secrets here and they can be used in Duplicati even if they are not added under "Duplicati Secrets".

With Plasma 5, there is a compatibility layer that makes the secrets created by Duplicati show up under "Secret Service":

<figure><img src="/files/49qZN3Q13r89Yx6FWpuQ" alt=""><figcaption></figcaption></figure>

This is purely cosmetic and they will show up under "Duplicati Secrets" if you upgrade to Plasma 6 or later.

## Using the `pass` secret provider (Linux)

The [`pass` command](https://www.passwordstore.org) is a project that implements a secure password storage solution on Linux system, backed by GPG. Duplicati can use `pass` as the secret provider:

```
--secret-provider=pass://
```

If you want to use `pass`, make sure it is installed on the system. You also need a GPG key, and you can create one with:

```
gpg --full-generate-key
```

As part of the key generation process, you are asked to enter an email address that will later be used to identify the key. Once you have the GPG key you can initialize pass with:

```
pass init <your-email-address>
```

## Using the KeyChain (MacOS)

For MacOS users the standard password storage is the [KeyChain Access](https://support.apple.com/lt-lt/guide/keychain-access/kyca1083/mac) program. The secrets stored here as application passwords can be used by Duplicati. The KeyChain can be enabled as a secret provider with:

```
--secret-provider=keychain://
```

For more advanced uses the options `account` and `service` can be used to narrow down what secrets can be extracted.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.duplicati.com/security-and-secrets/using-the-secret-provider/local-providers.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.