Duplicati is an open source backup client that creates encrypted, incremental, compressed backup sets and sends them to cloud storage services or remote file servers.
What the project is and where it runs
Duplicati operates as a client side application designed to back up files and folders from endpoints and servers. It runs locally, collects selected data, packages it into backup volumes, and transfers those volumes to a configured destination. Restore operations support individual files, folders, and point in time recovery based on stored versions.
The project runs on Windows, macOS, and Linux systems and relies on the .NET runtime. Administrators commonly deploy it on servers, desktops, or headless systems where scheduled backups run without user interaction.
How administrators typically set it up
A typical deployment begins with defining a backup job. That job specifies the data to include, optional exclude rules, the destination backend, encryption settings, and the execution schedule. Retention and versioning policies control how many backup versions remain available over time.
Storage destinations range from object storage services to hosted drive platforms and protocol based servers. Configuration requires service specific details such as bucket names, endpoints, usernames, passwords, or access tokens, depending on the destination type.
Duplicati also supports command line operation. This allows administrators to create, manage, and run backup jobs through scripts or automation tools in environments where a web interface is less practical.
Storage destinations that commonly appear
Duplicati supports a broad set of storage backends. These include S3 compatible object storage, hosted cloud drive services, and network protocols such as FTP, SFTP over SSH, and WebDAV. Each backend uses its own connection parameters and authentication model.
From a security standpoint, this flexibility means backups may be stored outside the same administrative or network boundary as the source system. That placement introduces questions around credential scope, token lifetime, and access paths to stored backup data.
Encryption as part of normal operation
Encryption is configured at the backup job level and applied before data leaves the source system. Encrypted backups are written to the destination as compressed volumes, with encryption keys derived from a passphrase supplied during setup.
Operationally, that passphrase functions as a high value secret. Teams typically handle it through existing credential management practices, including secure storage, access restrictions, and documented recovery procedures. Loss of the passphrase directly affects the ability to restore encrypted data.
The local service and web interface model
Duplicati often runs as a local service that exposes a web based interface for configuration and monitoring. Administrators access the interface through a browser to define jobs, review logs, and manage restores.
This model places importance on service exposure decisions. Access controls, network binding settings, and host level firewall rules determine who can reach the interface. Local file permissions also matter, since configuration files and metadata can contain destination credentials and encryption related material.
Security signals from ongoing development
Security related discussions occasionally surface in the project’s issue tracker and change history. These discussions often focus on authentication behavior, handling of local secrets, and assumptions made by the service when generating session tokens or accessing configuration data.
For defenders, this reinforces the need to treat the backup service and its local data stores as sensitive components. Tracking upstream changes and reported issues helps teams adjust hardening guidance and deployment patterns over time.
Duplicati is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!