Storage Azure

Duplicati on Ubuntu 24.04 on Azure User Guide

| Product: Duplicati on Ubuntu 24.04 LTS on Azure

Overview

Duplicati is free, open source backup software with a modern web interface. It makes secure, space efficient backups: your files are compressed, encrypted with AES-256 on the machine before they are uploaded, and deduplicated so that only the blocks that changed are stored on each run. Backups can be sent to a local folder, a network share or a wide range of cloud storage providers, and the scheduler, retention rules, backup jobs and a file by file restore browser are all driven from the web UI. Because encryption happens before upload, the storage destination only ever sees encrypted blocks.

The cloudimg image installs the pinned Duplicati 2.3.0.4 stable release, runs its server under systemd, and fronts the web UI with an nginx reverse proxy that terminates HTTPS. Duplicati itself binds only to loopback, the web UI and REST API require a password generated uniquely on the first boot of every VM, and the server configuration database is encrypted with a per-VM key so stored destination credentials and backup passphrases are protected at rest. Backed by 24/7 cloudimg support.

What is included:

  • Duplicati 2.3.0.4 running as the duplicati systemd service (self contained .NET 10 build)
  • The Duplicati web UI and REST API bound to loopback 127.0.0.1:8200, never exposed directly
  • An nginx reverse proxy terminating TLS on :443 with a per-VM self-signed certificate, and :80 redirecting to HTTPS
  • A unique web UI password generated on first boot, so no shared credential ships in the image
  • A per-VM settings encryption key so the server configuration database is encrypted at rest
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • The duplicati-cli command line tool for scripted backups, restores and verification
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a comfortable starting point; Duplicati is light on resources, though large backup sets benefit from more memory. NSG inbound: allow 22/tcp from your management network and 443/tcp for the web UI. Port 80/tcp is optional and only redirects to HTTPS. Duplicati serves the UI over HTTPS with a self-signed per-VM certificate; for production use, put your own domain and a CA-signed certificate or a reverse proxy in front of it (see Maintenance).

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Duplicati by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTPS (443). Then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name duplicati \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name duplicati --port 443 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active duplicati nginx

Both report active. Duplicati's server serves the web UI and REST API on the loopback connector 127.0.0.1:8200 only; nginx fronts it on port 443 with TLS and redirects port 80 to HTTPS. Because the server binds loopback, the only way in is through the nginx TLS proxy.

The duplicati, nginx and duplicati-firstboot services reported active, and the listening sockets showing the Duplicati server bound only to loopback 127.0.0.1:8200 with nginx on ports 443 and 80

Step 5 - Retrieve your web UI password

Duplicati protects its web UI and REST API with a login password. A unique password is generated on the first boot of your VM and written to a root-only file:

sudo cat /root/duplicati-credentials.txt

This file contains DUPLICATI_URL, the address to open in a browser, and DUPLICATI_PASSWORD, the generated login password. The password is set only in the per-VM options file /etc/default/duplicati (mode 0600), so no shared password ships in the image. Store it somewhere safe.

The installed Duplicati package version 2.3.0.4 and the per-VM credentials file showing the DUPLICATI_URL and the generated DUPLICATI_PASSWORD masked

Step 6 - Confirm the health endpoint

nginx serves an unauthenticated health endpoint for load balancers and probes:

curl -sk https://localhost/healthz

It returns ok. This endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe. A plain request to port 80 returns 301 and redirects to HTTPS.

Step 7 - Confirm authentication is enforced

Because a password is set on first boot, an unauthenticated request to the REST API returns HTTP 401, so nobody reaches your backups without the password. The following reads the per-VM password from the credentials file, proves an unauthenticated call is rejected, then logs in to obtain a token and proves an authenticated call succeeds:

PW=$(sudo grep '^DUPLICATI_PASSWORD=' /root/duplicati-credentials.txt | cut -d= -f2-)
echo "unauth: $(curl -sk -o /dev/null -w '%{http_code}' https://localhost/api/v1/backups)"
TOKEN=$(curl -sk -X POST https://localhost/api/v1/auth/login \
  -H 'Content-Type: application/json' \
  -d "{\"Password\":\"$PW\",\"RememberMe\":false}" \
  | python3 -c 'import sys,json;print(json.load(sys.stdin)["AccessToken"])')
echo "authed: $(curl -sk -o /dev/null -w '%{http_code}' -H "Authorization: Bearer $TOKEN" https://localhost/api/v1/backups)"

It prints unauth: 401 then authed: 200. The login returns a signed JSON Web Token that authorizes every subsequent API call.

The Duplicati REST API returning HTTP 401 with no token and HTTP 200 once authenticated with the per-VM password

Step 8 - Sign in to the web UI

Browse to https://<vm-public-ip>/. Because the certificate is self-signed and unique to your VM, your browser shows a certificate warning the first time; accept it to continue (or install the certificate from /etc/nginx/tls/duplicati.crt to trust it). Duplicati presents a password prompt: enter the password from Step 5 and select Login.

The Duplicati login page served over HTTPS, prompting for the per-VM password before any backup can be reached

Step 9 - The dashboard

After signing in, Duplicati opens on the Home dashboard. The left navigation gives you Add backup, Restore, Destinations and Settings, and the main area lists your backup jobs with their last run time, duration, source and destination sizes, and the number of stored versions.

The Duplicati Home dashboard showing a configured "Documents backup (nightly, encrypted)" job with its last successful backup time, duration, source and destination sizes, and one stored version

Step 10 - Create a backup

Select Add backup to configure a new job. Choose Add a new backup, then step through the wizard: give the backup a name and a strong passphrase (Duplicati encrypts everything with it before upload), pick a destination (a local folder, an SMB or SFTP share, S3, Azure Blob Storage, Backblaze B2, Google Drive and many more), select the source folders to protect, and set an optional schedule and retention policy.

The Duplicati Add a new backup screen offering to configure a new backup by choosing a destination, source data and schedule, or to import an existing backup configuration from a file

Step 11 - Restore files

Select Restore to recover data. Duplicati lists your configured backups; pick one and choose Restore to browse the backup by version and select individual files or folders to bring back. You can also use Direct restore from backup files to recover from a destination on a machine that has no local configuration, which is exactly what you need in a disaster recovery scenario.

The Duplicati Restore screen asking where to restore from, listing the configured "Documents backup" job alongside options to restore directly from backup files or from an exported configuration

Step 12 - Verify a backup and restore from the command line

The image also ships duplicati-cli, so you can script and verify backups without the web UI. The following backs up a folder to a local destination, encrypted with a passphrase, then restores it to a new directory and confirms the restored file is identical:

sudo duplicati-cli backup file:///tmp/dr-dest /etc/hostname --passphrase='choose-a-strong-passphrase'
sudo duplicati-cli restore file:///tmp/dr-dest '*' --restore-path=/tmp/dr-out --passphrase='choose-a-strong-passphrase'

Duplicati reports Backup completed successfully! and then Restored 1 (...) files. The restore round trip proves your encrypted backup can be read back and recovered end to end.

duplicati-cli backing a file up to a local destination reporting Backup completed successfully, then restoring it and confirming the restored file is byte for byte identical to the original

Maintenance

  • Password: the web UI password is set on first boot and stored in /etc/default/duplicati as --webservice-password inside DAEMON_OPTS. To change it, edit that file (as root) and run sudo systemctl restart duplicati.
  • Settings encryption: the server configuration database is encrypted with a per-VM key held in /etc/default/duplicati (SETTINGS_ENCRYPTION_KEY), which protects the destination credentials and passphrases you store in Duplicati. Keep a copy of this file if you need to recover the configuration on another machine.
  • Backup destinations: Duplicati supports local folders, SMB and SFTP, S3 compatible object storage, Azure Blob Storage, Backblaze B2, Google Drive, and many more; add them under Destinations or when creating a backup.
  • Retention: set keep rules per backup (keep a number of versions, or a smart retention schedule) in the backup's options so old versions are pruned automatically.
  • TLS: the UI is served over HTTPS with a self-signed per-VM certificate at /etc/nginx/tls/duplicati.crt. For production, replace it with a CA-signed certificate for your own domain, or place a reverse proxy in front.
  • Upgrades: Duplicati is installed from the official Debian package; to upgrade, download a newer stable release, verify its checksum, install it with apt, and restart the service. Your backup jobs and history are preserved in /var/lib/duplicati.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.