Kopia Server, Repository Server, and other associated Questions

Hi - Thanks for a great app.

I can see when opening the electron KopiaUI.app that it spawns (on Mac) a few different processes including the kopia server

/developer/git/kopia/dist/kopia-ui/mac/KopiaUI.app/Contents/Resources/server/kopia server --ui --tls-print-server-cert --tls-generate-cert-name=localhost --random-password --tls-generate-cert --shutdown-on-stdin --address=localhost:0 --config-file /Users/zeus/Library/Application Support/kopia/repository.config

Running an lsof -p (and passing the process id associated with server above), I see its listens on a random port …

TCP localhost:62486 (LISTEN)

The /Users/zeus/Library/Logs/kopia/cli-logs/kopia-20220201-122521-4062-server-start.log shows …
022-02-01T12:25:23.035675Z DEBUG kopia/server generated random auth cookie signing key: cbc07c72-6a47-455c-97b4-55088d9debca
2022-02-01T12:25:23.036421Z INFO kopia/cli Server will close when stdin is closed…
2022-02-01T12:25:23.037175Z DEBUG tls generating new TLS certificate
2022-02-01T12:25:24.712283Z DEBUG tls adding alternative DNS name to certificate: localhost
2022-02-01T12:25:24.720688Z INFO kopia/cli Open the address above in a web browser to use the UI.

If I manually start the kopia server using the exact same command I get the normal console output which would otherwise get gobbled up by the kopia-ui electron app.

e.g.

SERVER PASSWORD: 7715b07998767b57186d602e2437cb1f2e46e8575ea699b4a18ae74f4a552201

Server will allow connections from users whose accounts are stored in the repository.
User accounts can be added using ‘kopia server user add’.

SERVER CERT SHA256: 89814faa17c1600c4aaf86e1faab8a328d1a37a063b141a53a0e54c11b0937ff
SERVER CERTIFICATE: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU5VENDQXQyZ0F3SUJBZ0lRTGh5UWxjYU16MG1zbm1tbjU5OEUxekFOQmdrcWhraUc5dzBCQVFzRkFEQVEKTVE0d0RBWURWUVFLRXdWTGIzQnBZVEFlRncweU1qQXlNREV4TWpVNE1qbGFGdzB6TWpBeE16QXhNalU0TWpsYQpNQkF4RGpBTUJnTlZCQW9UQlV0dmNHbGhNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDCkFnRUF3ZE8zbU5iZHpPUEx0dnlNeXRiRnk4ZW40OVV6RXZOSzVCWHU5Slp5NkJKc0luTThVUEZ5RHUreDVRQlkKYnpXOGRFZ25xSUFtYkVYa2F0ZkNqU0dKbFE1ZXZkOVRtSmV6eERTZS91VnpLZXR4YytkVTVuOVhpdC93bjZYcQpmWnZKOGdJUkp5NVBSMHJwQnFQcUcyTC9ENDZoRDZYMkRFNTdwMTRoM1h2RmNVeFBxL3lZTmV5NGpxR2liYndyCm9VVjRod01OcW1YY1Z5alppYUptY3ZCODA0WWhlU1hHVC92aDZuTjBxUEN3OEdWNE1IVkt1MSswMXpyNnJhZVcKemNTc3dZMkhEQm0yN3RWWWtEN29QbmQwZktQTzRJa0pTZjhWVWVxL1dRMlh1MmN3czEwUzV2cWU4WmcrYUVYcAoxQzNFWFJ2ZWE0d2dXZjJaWFZpOC94VG01bmd6ZzZHdHdXQm5yK3RXbkJCbW9CMTVsL3pFSkowc2FPWU40aFlJCjB2K2JJNW8yQnE3aEx6czZwN2E3bHEvUjN1ZEphR25BZ2YrV3oxc1NNNG51TTcyeVF5R0kzTWtYaVZ3Slp5UE8Kc1ZNNVc5NUk0SEJmSGQ4UlhrZ2t5czJReG9GczZVODhhcWFpYjMrUy9ZVi9WTDBGNWJtRnFtVENRNzlJb3FJMwpGd1ZiUVlQK3E5R29PSUd6cEVPVGlqOXd6WDVobGJJNEJKb0ZsK1BuQndNZ0JPYjgyRTJhbGtuTkN1N3dZS1hxCjBCSG1RN3NyVU5MZDdaYTNzRjZtQlkzMHk4QWg1WXFiVmFEalNmb2xTRUpybk1UU1RGdmNHMUR3L3FYYlBOV1QKMmJyZWdZYW9OZjg5L3lSWm1uZnA3U25qSm5zYnc2Qy9UZWw2MytmaTlXcEN0U0VDQXdFQUFhTkxNRWt3RGdZRApWUjBQQVFIL0JBUURBZ0trTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1Bd0dBMVVkRXdFQi93UUNNQUF3CkZBWURWUjBSQkEwd0M0SUpiRzlqWVd4b2IzTjBNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUNBUUE0cWlQUGZkaGoKUUtaa2RmSmxSZVBKbWppS0hsZThQSVFwYnUrZTkrWmRVOVJnYmJZbGw0TVBjdTZGQTU0dlI0ZUR3dFVSWnhsQgpGY2ppSEdmNy9SVzNpcllaNHFjQ21ubVd3S0ViMFRka0tWaUJlMzArcjFnWlF3Y3FxMmdLYlg5am85b2gyaXQ5ClhuNTBQb0IxUXppOUFaWjhRVWRXUmFGTU5reWR3RkJMd3MxanZXblc4NkZnVUgvSmdhSTNpbGgwTUg0cTJ6TVMKRjlITDI0bHJBNjZScVQ3ZHpQWmhlWW84YnRGR0hxb1dETXlHRS9jNUprOHIvZWlWK0VTc2FOc2h4QTlhTXIyTQpwbUkxZFlVc3FIYy92RC9ZanYySDg0K0VuM1V0TURhSDU1OVZMUlJia3BHTW1LVkFaRndRalYvdkVKNHlnTmptCnQ3VUR1UHZRYmM1UktQV1VCL1ZucDVPTFBnSXh2dE1RdHk4WlgxenJrUEVtSWpqQmtwaDZ0MCtPTm1mbG9pSFUKN0RZb3BUOHpKa1MzaWl3MHdjemU0bjRJSUlKZ3h6a21KMnMwaEVuK2ZydG4xTEJGckxLUUloU1ZaaVE2Y2JoRwpwelp0R3pxNkh5aUtGUklKdURKZjBqY2JPcnJmT0RFMkdHTStDTjJRZms4WDY4ZW8xKzBJbjlFbENBWlFXU2xnCkQycUpvRXZSa3lWdjlFekRqeDdIYk5uK3lzUEwxbFJWb09tcXFoWkliZC9vcEFRYmJRVTJpRTEvNGgvelVyMisKa1A5TmJTdVhGU1k0TmZna1RXQ0J5OG1lMU95YWxlN0pXVUZqUGtyWVd6U2RYTUVQVEZuck9EaFB0aHFwY1I4QgpYbGJZZWxGTGdwM09ZMzZkM2xuclBodWNtU092VGZIMlhRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
SERVER ADDRESS: https://127.0.0.1:63315
Open the address above in a web browser to use the UI.

Looking at cli/command_server_start.go
it looks like there is an insecure flag which could potentially be passed to prevent the server using TLS - and thus allowing me to capture regular HTTP traffic using wireshark

Short of editing app/public/server.js and rebuilding the UI with custom flags like --insecure, is there anyway to pass command line arguments flag via the electron app that in turn get passed to the server process it spawns?

As far as the user being leveraged by the electron ui browser part to connect to kopia server, it looks like it leverages “kopia” user with 64 hex character password that is generated when the server starts.

                    'Authorization': 'Basic ' + Buffer.from("kopia" + ':' + runningServerPassword).toString('base64')

Is there anywhere to view this password if the server is spawned from electron app (kopia-ui) ?

How does the generated random auth cookie signing key come in to play seen in the regular log file? cbc07c72-6a47-455c-97b4-55088d9debca

As far as kopia standalone versus kopia server versus kopia repository server… is the following reasonably accurate

kopia standalone (i.e without providing server option) launches no tcp listen socket, performs the specified action as provided as argument to the command (like snapshot or maintenance) and immediately terminates. It can leverage the zalando/go-keyring module to pull the repository password from the keychain on mac (from the relevant repository.config-<first 16 hex digits of the sha256 digest of the repository.config file path>) - which in turn is leveraged in part to decrypt the “encryptedBlockFormat” block from the kopia.repository file in back-end storage.

kopia-ui (electron app) spawns “kopia server” (kopia process with server argument) listening locally on loopback adapter and dynamic port with single ‘kopia’ user configured. The browser part of the electron app interacts connects to the kopia server on the relevant tcp port using basic authentication leveraging the kopia user. The kopia server by way of running/persistent in background is able to run tasks like scheduled snapshots, old snapshot removal, and repository maintenance.

kopia repository server - is essentially the manual spawning of “kopia server” with some seeded users. Clients (be it kopia standalone, or kopia-ui on typically separate machines) can use the repository server as as a special type of storage provider (similar to how they may use s3 or filesystem). The difference is however that clients transmit unencrypted content to this repository server which is subsequently encrypted by the repository server and pushed out to back-end storage providers. The clients never know of the encrypted key used by the repository server associated with the back-end storage provider, nor do they know of the back-end storage provider access credential. The clients do however require access to the HMAC secret for deduplication purposes.

Is there much inaccurate above?

Side question - would an enterprise like Google / Amazon etc ever allow an application like kopia (in UI/server mode) to be installed on employee machine given it spawns a local TCP listen socket?

This is pretty much accurate - you did a great job with the discovery here.

As for whether listening on a port is considered secure - the connection is authenticated over TLS, requires single-use password that nobody else knows (it’s only printed to stderr and analyzed by KopiaUI), on top of this the listening socket is on localhost so can’t be reached from the network and the port is random.

The reality these days is that most desktop apps are web-based and many if not most of them launch servers on localhost to serve the UI and API.

If you have any specific security concerns that might be sensitive, email security@kopia.io.