Duplicati on Ubuntu 24.04 on Azure User Guide
Overview
Duplicati is free, open source backup software with a modern web interface. It makes secure, space efficient backups: your files are compressed, encrypted with AES-256 on the machine before they are uploaded, and deduplicated so that only the blocks that changed are stored on each run. Backups can be sent to a local folder, a network share or a wide range of cloud storage providers, and the scheduler, retention rules, backup jobs and a file by file restore browser are all driven from the web UI. Because encryption happens before upload, the storage destination only ever sees encrypted blocks.
The cloudimg image installs the pinned Duplicati 2.3.0.4 stable release, runs its server under systemd, and fronts the web UI with an nginx reverse proxy that terminates HTTPS. Duplicati itself binds only to loopback, the web UI and REST API require a password generated uniquely on the first boot of every VM, and the server configuration database is encrypted with a per-VM key so stored destination credentials and backup passphrases are protected at rest. Backed by 24/7 cloudimg support.
What is included:
- Duplicati 2.3.0.4 running as the
duplicatisystemd service (self contained .NET 10 build) - The Duplicati web UI and REST API bound to loopback
127.0.0.1:8200, never exposed directly - An nginx reverse proxy terminating TLS on
:443with a per-VM self-signed certificate, and:80redirecting to HTTPS - A unique web UI password generated on first boot, so no shared credential ships in the image
- A per-VM settings encryption key so the server configuration database is encrypted at rest
- An unauthenticated
/healthzendpoint for Azure Load Balancer health probes - The
duplicati-clicommand line tool for scripted backups, restores and verification - 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a comfortable starting point; Duplicati is light on resources, though large backup sets benefit from more memory. NSG inbound: allow 22/tcp from your management network and 443/tcp for the web UI. Port 80/tcp is optional and only redirects to HTTPS. Duplicati serves the UI over HTTPS with a self-signed per-VM certificate; for production use, put your own domain and a CA-signed certificate or a reverse proxy in front of it (see Maintenance).
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Duplicati by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTPS (443). Then Review + create -> Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name duplicati \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name duplicati --port 443 --priority 1010
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm the services are running
systemctl is-active duplicati nginx
Both report active. Duplicati's server serves the web UI and REST API on the loopback connector 127.0.0.1:8200 only; nginx fronts it on port 443 with TLS and redirects port 80 to HTTPS. Because the server binds loopback, the only way in is through the nginx TLS proxy.

Step 5 - Retrieve your web UI password
Duplicati protects its web UI and REST API with a login password. A unique password is generated on the first boot of your VM and written to a root-only file:
sudo cat /root/duplicati-credentials.txt
This file contains DUPLICATI_URL, the address to open in a browser, and DUPLICATI_PASSWORD, the generated login password. The password is set only in the per-VM options file /etc/default/duplicati (mode 0600), so no shared password ships in the image. Store it somewhere safe.

Step 6 - Confirm the health endpoint
nginx serves an unauthenticated health endpoint for load balancers and probes:
curl -sk https://localhost/healthz
It returns ok. This endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe. A plain request to port 80 returns 301 and redirects to HTTPS.
Step 7 - Confirm authentication is enforced
Because a password is set on first boot, an unauthenticated request to the REST API returns HTTP 401, so nobody reaches your backups without the password. The following reads the per-VM password from the credentials file, proves an unauthenticated call is rejected, then logs in to obtain a token and proves an authenticated call succeeds:
PW=$(sudo grep '^DUPLICATI_PASSWORD=' /root/duplicati-credentials.txt | cut -d= -f2-)
echo "unauth: $(curl -sk -o /dev/null -w '%{http_code}' https://localhost/api/v1/backups)"
TOKEN=$(curl -sk -X POST https://localhost/api/v1/auth/login \
-H 'Content-Type: application/json' \
-d "{\"Password\":\"$PW\",\"RememberMe\":false}" \
| python3 -c 'import sys,json;print(json.load(sys.stdin)["AccessToken"])')
echo "authed: $(curl -sk -o /dev/null -w '%{http_code}' -H "Authorization: Bearer $TOKEN" https://localhost/api/v1/backups)"
It prints unauth: 401 then authed: 200. The login returns a signed JSON Web Token that authorizes every subsequent API call.

Step 8 - Sign in to the web UI
Browse to https://<vm-public-ip>/. Because the certificate is self-signed and unique to your VM, your browser shows a certificate warning the first time; accept it to continue (or install the certificate from /etc/nginx/tls/duplicati.crt to trust it). Duplicati presents a password prompt: enter the password from Step 5 and select Login.

Step 9 - The dashboard
After signing in, Duplicati opens on the Home dashboard. The left navigation gives you Add backup, Restore, Destinations and Settings, and the main area lists your backup jobs with their last run time, duration, source and destination sizes, and the number of stored versions.

Step 10 - Create a backup
Select Add backup to configure a new job. Choose Add a new backup, then step through the wizard: give the backup a name and a strong passphrase (Duplicati encrypts everything with it before upload), pick a destination (a local folder, an SMB or SFTP share, S3, Azure Blob Storage, Backblaze B2, Google Drive and many more), select the source folders to protect, and set an optional schedule and retention policy.

Step 11 - Restore files
Select Restore to recover data. Duplicati lists your configured backups; pick one and choose Restore to browse the backup by version and select individual files or folders to bring back. You can also use Direct restore from backup files to recover from a destination on a machine that has no local configuration, which is exactly what you need in a disaster recovery scenario.

Step 12 - Verify a backup and restore from the command line
The image also ships duplicati-cli, so you can script and verify backups without the web UI. The following backs up a folder to a local destination, encrypted with a passphrase, then restores it to a new directory and confirms the restored file is identical:
sudo duplicati-cli backup file:///tmp/dr-dest /etc/hostname --passphrase='choose-a-strong-passphrase'
sudo duplicati-cli restore file:///tmp/dr-dest '*' --restore-path=/tmp/dr-out --passphrase='choose-a-strong-passphrase'
Duplicati reports Backup completed successfully! and then Restored 1 (...) files. The restore round trip proves your encrypted backup can be read back and recovered end to end.

Maintenance
- Password: the web UI password is set on first boot and stored in
/etc/default/duplicatias--webservice-passwordinsideDAEMON_OPTS. To change it, edit that file (as root) and runsudo systemctl restart duplicati. - Settings encryption: the server configuration database is encrypted with a per-VM key held in
/etc/default/duplicati(SETTINGS_ENCRYPTION_KEY), which protects the destination credentials and passphrases you store in Duplicati. Keep a copy of this file if you need to recover the configuration on another machine. - Backup destinations: Duplicati supports local folders, SMB and SFTP, S3 compatible object storage, Azure Blob Storage, Backblaze B2, Google Drive, and many more; add them under Destinations or when creating a backup.
- Retention: set keep rules per backup (keep a number of versions, or a smart retention schedule) in the backup's options so old versions are pruned automatically.
- TLS: the UI is served over HTTPS with a self-signed per-VM certificate at
/etc/nginx/tls/duplicati.crt. For production, replace it with a CA-signed certificate for your own domain, or place a reverse proxy in front. - Upgrades: Duplicati is installed from the official Debian package; to upgrade, download a newer stable release, verify its checksum, install it with
apt, and restart the service. Your backup jobs and history are preserved in/var/lib/duplicati. - Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
Support
cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.