How to use the credentials stored in the keyring/credential manager?

I connected to my local repository via kopia repository connect filesystem --path=d:\kopia\ --config-file=C:\Users\%UserName%\AppData\Roaming\kopia\custom.config --use-credential-manager and the password got saved in Windows Credential Manager. How can I, similarly the way KopiaUI.exe does, mount the repository from the command line using the password stored in the credentials manager in order to avoid the password prompt at each connection attempt?
Thank you in advance for your comment.

Similar question in Linux environment has been asked here. Here it was suggested that it may be due to missing privilege, which I preclude since it occurs when running as local user or as admin.

1 Like

Ya, the documentation website is very sparse about it except for 1 line :confused:
It seems like there’s only --use-credential-manager and --no-use-credential-manager
I guess everything is supposed to happen automagically :thinking: :person_shrugging:

1 Like

I too would like to read the repo password from file or the keyring, and have not figured out a way to do that yet. Did you guys find out anything useful?

You can pass your password in KOPIA_PASSWORD env variable or flag -p, --password=PASSWORD, so you can use your OS specific password manager software to retrieve password and connect to your repo.

PASSWORD = $(retrieve_password_from_keychain)
kopia repository connect ...--password=$PASSWORD...

Here some info how to do this in macOS:

For other systems you have to check documentation how to work with your specific key chain/password manager.

Thanks, but I cannot do
PASSWORD = $(retrieve_password_from_keychain)
…when starting my docker with entrypoint “kopia server start”, as the container manager I am using will just escape the command and the content on 1:1 instead of parsing and running it. So I have to leave the password in my docker config files for the -p option or setting the env variable, which I do not like.

Is there really no way to have kopia/the server read the password from a file on startup? Something like --password-file XYZ etc.?

Use environment variable then

Not sure what you mean. As I wrote above, if I use an env variable, I need to put the pwd in clear text in the docker config file of the system I am using, which I want to avoid.

I am not sure why to run kopia using docker… it is stand-alone binary. It seems for me like a lot of trouble for nothing:) + limitations.

But maybe there are some situations when it makes sense - definitely I am not an expert here.

Of course, fully understand where you are coming from. My use case is that I use kopia web gui on a NAS system, where most stuff is added via docker containers. The system itself is immutable, but has really nice support for addons via docker.

This works really well, except for the litte inconvenience of exposing the password in the docker config. It’s no big deal, but my inner monk would definitely prefer to have it in a file :slight_smile:

Ok get it now. Thx for explaining.

1 Like

Not to hijack the thread, but I’m on exploration for a new NAS system. “Immutable” sounds nice to my ears. May I ask what is the system your talking about?

It means you are backing your data up into a repository which only gives your backup client limited access. You can push new items into the repository, but there are restrictions on other operations like writes or deletes. Depending on exact setup they are either not allowed, or after the delete operation the files are kept for a “retention period” during which they can still be recovered.

The idea is that if the client which runs your backup is compromised, and an attacker/ransomware attempts to destroy your backup copies, they are severely limited in their destructive potential.