@dkocher commented

On Windows, passwords are encrypted using the Windows Data Protection API (​DPAPI) and stored in the user.config file in the ​application support directory.

https://trac.cyberduck.io/wiki/help/en/howto/connection#GeneralConnectionUseKeychain

65d59a4 commented

Thanks for the reply. So if the keychain setting in preferences isn't applicable to Windows, I'd suggest not showing it in the Windows version as it serves no purpose. It's just confusing.

65d59a4 commented

So I was also testing Google Drive and Cryptomator integration and observed the following:

1. Create bookmark for Google Drive
2. Access Cryptomator Vault in Google Drive by entering (and saving) master password.
3. All works fine.
4. Delete bookmark and history item.
5. Close Cyberduck.
6. Recreate Google Drive bookmark from scratch.
7. Voila, it gives access to the Cryptomator vault without requiring the password again.

Strange. Where was the password saved in the meantime? Shouldn't it be deleted from the system when a bookmark is deleted?

@dkocher commented

If you choose Save Password, the password for the vault is stored encrypted using the Windows Data Protection API in user.config on Windows and can be reused on later attempts to open the encrypted vault regardless of the bookmark used to connect.