Kopia repository server installation doc

I managed to have a working backup using Kopia repository server’s feature. I’m on a Debian 9. Here is what I did. If you see something wrong, feel free to comment and/or correct. Once doc is ok, I’ll add it to website

  • Install kopia on server using the appropriate method

  • Create a user on the server (kopia)

useradd kopia
  • Change user’s homedir to a partition with space if your /home doesn’t have enough (could be /opt, /var, etc.)
usermod -d /opt/kopia kopia
  • Create a kopia_conf dir
cd /opt/kopia
mkdir kopia_conf
  • Create a storage directory
mkdir datas
vi /etc/systemd/service/kopia.service
Description=Kopia Server

ExecStart=/usr/bin/kopia server --htpasswd-file full_path/kopia_conf/kopia_auth --tls-cert-file full_path/kopia_conf/kopia.cert --tls-key-file full_path/kopia_conf/kopia.key --address <server IPv4>:51515

# and adjust paths
cd kopia_conf
htpasswd -c kopia_auth user1@host1
# !!! (Lowercase client host)
  • Start server to generate keys
kopia server start --htpasswd-file full_path/kopia_conf/kopia_auth --tls-generate-cert --tls-cert-file full_path/kopia_conf/kopia.cert --tls-key-file full_path/kopia_conf/kopia.key --address <server IPv4>:51515
# !!! Write down the hash SERVER CERT SHA256
  • Configure repository
    Connect to web interface https://<server_ip>:51515 with credentials created earlier
    Create a local storage Dir : “datas”

  • Stop server and start service
    Stop server ()
    start kopia service

systemctl start kopia.service
  • Connect with client (kopiaUI)
  1. Start KopiaUI, fill the fields with according informations
  2. enter server address : https://<server_ip>:51515
  3. use SERVER CERT SHA256 generated earlier
  4. use password created earlier
  5. add directories to backup
  6. create snapshots

That’s nice, note you can also use pre-existing trusted TLS certificate files.

For example If you own somedomain.com you can use LetsEncrypt to generate trusted cert and key for kopia.somedomain.com and use that instead of your server IP and since the cert is trusted you won’t need to pass SHA256 at all.


As it took me several tries to setup a kopia server (in my case on a raspberry pi using the nextcloudpi image) and connect to it, here the steps that did work for me:

# create a user to run the kopia server
sudo adduser kopia
sudo usermod -a -G kopia kopia
# it makes life easier if you can access the conf & repo as the default 'pi' user
sudo usermod -a -G kopia pi

# allow access to this port from outside, nextcloudpi uses the universal firewall
sudo ufw allow 51515/tcp comment 'kopia server'

# now some steps as user kopia
sudo su - kopia
mkdir kopia_conf
cd kopia_conf

# this might be no longer necessary, I'm not sure?
htpasswd -c kopia_auth myuser@another-host

# IMPORTANT: You need to connect locally to server's repo before the server is started!
kopia repository connect filesystem --path=.../repo/

# Once connected, you can then add users:
kopia server user add $USER@$HOSTNAME
kopia server user add myuser@another-host

# NOW: at the FIRST server start: generate KEY & write down fingerprint

kopia server start --htpasswd-file /home/kopia/kopia_conf/kopia_auth --tls-generate-cert --tls-cert-file /home/kopia/kopia_conf/kopia.cert --tls-key-file /home/kopia/kopia_conf/kopia.key --address 192.168.178.xx:51515`

# next starts: keep certificate
kopia server start --htpasswd-file /home/kopia/kopia_conf/kopia_auth --tls-cert-file /home/kopia/kopia_conf/kopia.cert --tls-key-file /home/kopia/kopia_conf/kopia.key --address 192.168.178.xx:51515

And to connect from a client, connect to the this nice server from myuser@another-host (added above as user):

kopia repository connect server --url https://192.168.178.xx:51515 --server-cert-fingerprint  <fingerprint-noted-from-above>
kopia snapshot create ...

I plan to improve the documentation and provide a PR, as soon as I have some spare time.

Do I really need to use tls certificates? I will be connecting over VPN so not sure if it is really necessary to have additional certificates? I remember having issues in the browser when I tried to open the local web page