Kopia with encrypted rclone config

Hi! I couldn’t find a manual on how to use Rclone with Kopia on macOS while keeping the rclone.conf file encrypted. So let me share my solution and ask for your feedback.

  1. I encrypted rclone.conf using rclone config.
  2. I saved the password in Keychain with security add-generic-password.
  3. I created a launchd agent for Kopia with an environment variable for Rclone:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>RCLONE_PASSWORD_COMMAND</key>
        <string>/usr/bin/security find-generic-password -a USER -s rclone -w</string>
    </dict>
...

This configuration seems to work, but is there a better way to allow Kopia to work with an encrypted rclone.conf?

I think your way is very neat and nicely fits into macOS “way” of managing services.

1 Like

Thanks for your reply. Both this one and your other replies on this forum are helpful for newcomers like me.

1 Like

@sorgel

Can you eli5 how you did this (give the steps)?

I think at minimum your launchd agent shared here is missing some lines, it would be great if you could share the full plist.

1 Like

Hi, Matvei! Happy to help, but I’m not sure that our setup is close enough to make my explanation useful. So, feel free to ask about details or criticize my suggestions — they could be suboptimal.

In my case, I alread had:

  • Rclone with encrypted config.
  • Kopia with generated TLS certificate and an added user.

In this case, all we need is:

  • Allow kopia to work with encrypted rclone config.
  • Make macOS to run kopia as a daemon.

Allow kopia work with encrypted rclone config

We are going to run Rclone with Kopia, so we aren’t able to input the password interactively. So we’ll put the password in rclone environment variable RCLONE_PASSWORD_COMMAND.

  1. On macOS we can save our password to keychain with command-line util security. Run in terminal:
security add-generic-password -a ACCOUNT -s SERVICE -w PASSWORD

You can put anything in place of ACCOUNT and SERVICE, these need only for further references. And instead of PASSWORD put your rclone password.

  1. To put the password into RCLONE_PASSWORD_COMMAN and test it, run:
export RCLONE_PASSWORD_COMMAND='security find-generic-password -a ACCOUNT -s SERVICE -w'
rclone config

Replace ACCOUNT and SERVICE with values you’ve used in the previous step.

If everything is fine, rclone config will be opened without asking your password for decryption.

Now, if you run kopia server from the same terminal instance, it will be able to access the encrypted rclone config. In a new terminal instance repeating of “export…” command will be needed.

Make macOS to run kopia as daemon

Create a new file at ~/Library/LaunchAgents/com.example.kopia.plist.
My example: kopia plist template · GitHub

Few notes:

    <dict>
           <key>RCLONE_PASSWORD_COMMAND</key>
           <string>/usr/bin/security find-generic-password -a ACCOUNT -s SERVICE -w</string>
    </dict>

Here we do the same thing as before: putting the rclone password to the environment variable. So replace values with your ones.

    <array>
        <string>/opt/homebrew/bin/kopia</string>
	    <string>server</string>
        <string>start</string>
        <string>--tls-cert-file=PATH_CERT_PATH</string>
        <string>--tls-key-file=KEY_CERT_PATH</string>
        <string>--address=0.0.0.0:51515</string>
        <string>--server-username=KOPIA_USER</string>
    </array>

These options depend on your setup and the prefered authentication method.

    <key>Debug</key>
    <true/>
    <key>StandardOutPath</key>
    <string>PATH_LOGS</string>
    <key>StandardErrorPath</key>
    <string>PATH_ERROR_LOGS</string>

This section can be omitted. I still watch logs as I’m quite new with kopia. If you also prefer to save logs, replace PATH_LOGS and PATH_ERROR_LOGS with paths of choice. Or remove this section.

With plist file saved, three commands will help to test it:
Run daemon:
bootstrap gui/501 ~/Library/LaunchAgents/com.example.kopia.plist

Stop daemon:
bootout gui/501 ~/Library/LaunchAgents/com.example.kopia.plist

Check if daemon is running:
launchctl list | grep kopia

That’s it. Please, let me know if I’ve missed something. I sure have.

@sorgel

I am using Kopia UI.

So, when I set it to start on boot (right click menu bar icon), it added KopiaUI.plist in launch agents by itself.

I just added the environment variable to that.

Is there any reason I shouldn’t do this?

Also, I tried to require user authentication by removing security from the pre-authorized apps in keychain, but it seems to request the password too much to be practical. Is there any other way to increase security?

I haven’t tried KopiaUI, but seems it works the same way. So it should be fine to call security from KopiaUI.plist.

In regards to the security of security command I have more trust in Apple developers than in me, so I haven’t tried to change anything.

But if you prefer to input the password manually, why ever bother with daemon? Looks like in such a case the user can start Kopia manually and input the password one time on start.

It’s also possible to use other password managers. For example, KeepassXC can print the password to stdout instead of security. Maybe one of the 3rd party password managers will suit your workflow better.

Unfortunately, I’m not the person to ask about security of such solutions.

This seems to work okay, except if I quit and reopen Kopia (e.g. after an update) it loses its environment variable.

Is there any way to solve this?

So, first reason I would think about is that I don’t start kopia with `bootstrap… .plist’ but with some other command, so .plist config doesn’t play a role. But I don’t have kopiaUI so don’t know what commands are there to start it.

This step is redundant IMO… as kopia already stores password in macOS keychain.

You can retrieve it by running:

security find-generic-password -w -s “repository.config-#######”

returns:

go-keyring-base64:xxxxxxxx

Then you have to decode base64 encoded “xxxxxxxx” to password itself.

Oh, @kapitainsky, is Kopia able to store password for rclone.config, not repository.config?

If that is the case I’ve totally missed this.

We are talking about rclone config password, not the Kopia repository password?

You are right. I mixed things:)

1 Like