LogoLogo
  • Duplicati Documentation
  • Getting Started
    • Installation
    • Set up a backup in the UI
    • Running a backup
    • Restoring files
  • Detailed descriptions
    • Choosing Duplicati Type
    • Using the secret provider
      • Local providers
      • Cloud providers
      • Advanced configurations
    • Using remote management
      • Using remote control with agent
    • Migrating Duplicati to a new machine
    • Scripts
    • Sending reports
      • Monitoring with Duplicati Console
      • Sending reports with email
      • Sending Jabber/XMPP notifications
      • Sending HTTP notifications
      • Sending Telegram notifications
      • Custom message content
    • Duplicati Access Password
    • Import and export backup configurations
    • Filters in Duplicati
    • The local database
    • The server database
    • Preload settings
    • Retention settings
    • Using Duplicati with Linux
    • Using Duplicati from Docker
    • Using Duplicati with MacOS
    • Using Duplicati with Windows
    • Running a self-hosted OAuth Server
  • Using tools
    • Encrypting and decrypting files
    • Using Duplicati from the Command Line
    • Recovering from failure
    • Disaster recovery
  • Backup destinations
    • Destination overview
    • Standard based destinations
      • File Destination
      • S3-compatible Destination
      • FTP Destination
      • SFTP (SSH) Destination
      • WebDAV Destination
      • OpenStack Destination
      • Rclone Destination
      • CIFS (aka SMB) Destination
    • Provider specific destinations
      • Backblaze B2 Destination
      • Box.com Destination
      • Rackspace CloudFiles Destination
      • IDrive e2 Destination
      • Mega.nz Destination
      • Aliyun OSS Destination
      • Tencent COS Destination
      • Jottacloud Destination
      • pCloud Destination
      • Azure Blob Storage Destination
      • Google Cloud Storage Destination
      • Microsoft Group Destination
      • SharePoint Destination
      • SharePoint v2 (Graph API)
      • Amazon S3 destination
    • File synchronization providers
      • Dropbox Destination
      • Google Drive Destination
      • OneDrive Destination
      • OneDrive For Business Destination
    • Decentralized providers
      • Sia Destination
      • Storj Destination
      • TahoeLAFS destination
  • Duplicati Programs
    • TrayIcon
    • Server
    • Command Line Interface CLI
    • Service and WindowsService
    • Command Line Tools
      • AutoUpdater
      • BackendTester
      • BackendTool
      • RecoveryTool
      • SecretTool
      • SharpAESCrypt
      • Snapshots
      • ServerUtil
    • Agent
    • LICENSE
      • Duplicati Inc & Open Source
      • License Agreement
    • OAuth Server
  • SUPPORT
  • Installation details
    • Release channels and versions
      • Upgrading and downgrading
      • Downgrade from 2.1.0.2 to 2.0.8.1
    • Package options
    • Developer
  • TECHNICAL DETAILS
    • Architecture Premises
    • Understanding Backup
      • How Backup Works
      • Encryption Algorithms
      • Backup size parameters
    • Understanding Restore
      • How Restore Works
      • Disaster Recovery
    • Database versions
    • Server authentication model
    • Option formats
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. TECHNICAL DETAILS

Server authentication model

This page provides an overview of the authentication in Duplicati

PreviousDatabase versionsNextOption formats

Last updated 6 months ago

Was this helpful?

To authenticate with Duplicati, the authenticating system needs a password. There are several ways to define that password as described in the section on . There is no username, as Duplicati does not support the concept of different users, so all access is the same.

The password is not stored in plain text, it is repeatedly hashes with a method to ensure it is not readable from the database. This ensures that even an attacker with access to the database will not be able to obtain a password that can be used to log in.

When the password is provided, it is compared to the hashed value that is stored, and only if the password was the same, is the access granted. The access in Duplicati is granted in the form of a long-lived Refresh Token, usually stored as a protected cookie. Since cookie based authentication has a number of weaknesses, the cookie is only used to obtain a short-lived Access Token.

The Access Token is newer persisted, it only lives in the browsers memory to protect it as much as possible from various attacks. If any tool needs access to call Duplicati, it can also request an access token directly with the password, and then call the API methods with the Access Token.

Once the Access Token expires, a new token must be issued. In the browser, this happens transparently when the expiration is detected. For external tools, this re-issue handling must be implemented.

For some external access, such as the one used by the and , a third token type is issued: Signin Token. The Signin Token is a placeholder for the password and can be used to obtain either a Refresh Token or an Access Token, but it is very short-lived.

As noted in the section on , the issuing of tokens is done with keys stored in the local database. As a precaution, Duplicati keeps track of all refresh tokens it has created, meaning that even with the issuing keys, it is not possible to create a new Refresh Token that will be accepted by the server.

However, it is possible to issue Signin Tokens and Access Tokens, for anyone with access to the signing keys stored in the database. To limit this exposure, it is possible to , but the Access Tokens cannot currently be secured in case the database is compromised.

To avoid leaking the signing keys, it is recommended that the local database is protected by .

Also, note that the default installation does not use SSL/TLS encryption for the server communication, but this can be manually configured with a self-issued certicate.

A more detailed description of how the tokens are generated and issued is in the .

Duplicati Access Password
PBKDF
TrayIcon
ServerUtil
Duplicati Access Password
disable the issuance of Signin Tokens
setting the database field encryption password
forum post on the webserver security