In our quest to make the upcoming TurnKey 11.0 release more "turnkey", I set out to extend the firstboot inithooks to include application specific configuration hooks such as setting of the admin password, email and domain to serve (where applicable).
I'm glad to announce that the quest is now over, and that puts the end to default passwords.
In TKLBAM the backup key is a secret encrypted with a passphrase which is uploaded to the Hub. Decrypting the backup key yields the secret which is passed on to duplicity (and eventually to GnuPG) to be used as the symmetric key with which backup volumes are encrypted on backup and decrypted on restore.