Kopia server + local repository. Block local restore

Dmitry12 · July 12, 2025, 3:30pm

Hello,

I work with dedicated kopia server with local storage and some clients connected to it.

I want to protect my data so that if the server is hacked, the attacker cannot access all the data
To do this, the encryption password should be stored not on the server but only on the every client.
How can this be done?
Now local repository password saved in /.config/kopia/repository.config.kopia-password
Thank you.

This is my setup -

#On the server
kopia repository create filesystem --path=/bkdata/kopia
kopia server start --tls-cert-file ~/my.cert --tls-key-file ~/my.key --address 0.0.0.0:51515 
kopia server user add usr@hst1

#On the client -
kopia repository connect server --url https://my.server.com:51515 \
  --server-cert-fingerprint ...... \
  --override-username=usr --override-hostname=hst1

budy · July 15, 2025, 1:42pm

Well… I think you can start the Kopia Server with the password in a ENV variable, which you can unset afterwards. Of course you’d have to take a couple of other precautions, like making sure, that nothing gets logged in the history and so on.

However, please be assured that if your host ever gets attacked successfully there will be no way your data will stay safe. Attackers might install a keylogger or anything else. So instead of thinking about how to make the attacker’s life miserable once they’re in, better take extra steps to prevent that in the first place.

Topic		Replies	Views
Safety of data and passwords with local backups General	6	1597	October 23, 2021
What runs on client and what runs on repository server? Support	3	404	September 24, 2023
Is the Repository Server storage identical to direct storage by client? General Topics	3	79	September 5, 2024
A question regarding Kopia Repository Server General	5	541	April 14, 2024
Repo password vs. Kopia server htpasswd Support	5	2324	October 26, 2021

Kopia server + local repository. Block local restore

Related topics