Kopia server + local repository. Block local restore

Hello,

I work with dedicated kopia server with local storage and some clients connected to it.

I want to protect my data so that if the server is hacked, the attacker cannot access all the data
To do this, the encryption password should be stored not on the server but only on the every client.
How can this be done?
Now local repository password saved in /.config/kopia/repository.config.kopia-password
Thank you.

This is my setup -

#On the server
kopia repository create filesystem --path=/bkdata/kopia
kopia server start --tls-cert-file ~/my.cert --tls-key-file ~/my.key --address 0.0.0.0:51515 
kopia server user add usr@hst1

#On the client -
kopia repository connect server --url https://my.server.com:51515 \
  --server-cert-fingerprint ...... \
  --override-username=usr --override-hostname=hst1

Well… I think you can start the Kopia Server with the password in a ENV variable, which you can unset afterwards. Of course you’d have to take a couple of other precautions, like making sure, that nothing gets logged in the history and so on.

However, please be assured that if your host ever gets attacked successfully there will be no way your data will stay safe. Attackers might install a keylogger or anything else. So instead of thinking about how to make the attacker’s life miserable once they’re in, better take extra steps to prevent that in the first place.

Thank you for your answer.

  1. My goal is that data should be encrypted on the client and sent and stored encrypted on the server. The backup server should not store encryption keys
  2. The second requirement is that if the client is hacked, the attacker cannot erase the backup copy from the remote backup server
  3. Hacking the backup server should not lead to the disclosure of data from several client servers
  4. And it is important for me that the backup server starts without my intervention and without manual password entry

Therefore, I will probably choose the configuration
kopia client → sftp → backup server
additionally zfs snapshots on the server, so that it is impossible to erase the backups even having received the sftp keys

I would be grateful for any ideas and improvements.

Well, if someone broke into your backup host, they could simply destroy the whole zpool/zfs, which holds your backups and be done with it - easy. In this case, you would need a remote ZFS server, where to send the snapshots to.

You might also want to tweak ZFS for this workload, since you will probably see a lot of maintenance and thus blob rewriting by kopia. Depending on the type of storage device, you might want to play with ZFS sync settings as well. What will your zpool layout be like?

1 Like