Enhancement: Store passwords/keys/tokens encrypted in preferences file

[arrrgi]

Background:

Headless or server based systems may not provide a secret vault service for recording encryption passwords and key/token/secret combinations for cloud based storage destinations. A suitable mechanism to mask and protect sensitive passwords and credentials should be sought in place of environment variables or plan text files.

Proposal:

• Option 1: Store key / password combinations as hashed and salted values in preferences file
• Option 2: Decrypt crypted versions of environment variables against RSA or PGP/GPG private keys

Neither method should prompt for a password confirmation as task schedulers such as cron or Windows Task Scheduler may run a duplicacy backup or prune operation in an unattended manner.

[gilbertchen]

I don't think option 1 can work -- how do you recover the original passwords from the hashed values?

For option 2 there is still the problem of how to save/retrieve the keys that are used to encrypt/decrypt the passwords without a secret vault service. The only way is perhaps to hardcode the key in the code, but that would defeat the purpose of encryption.

On Windows, Duplicacy calls the (CryptProtectData](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx) to encrypt passwords. It is not completely secure, but still better than saving the password in plain text.

[arrrgi]

Looking for better proposals to this scenario. Option 2 seems the most logical implementation where a public key is saved in the preferences file and the private key can be used to decrypt the encrypted values. One assumes that a passphrase is not required though to use the private key.

Again, not completely secure but better than nothing right? :)

[mister2d]

@madcatsu I use a Docker image to run Duplicacy that obfuscates the password utilizing environment variables. Using Docker secrets and an environment variable breakout script, it isn't possible to inspect the running container for values.