Option to not store s3 access key and secret key


I’m new to kopia (long time borg user, but I need a way to backup natively to s3 for a project) and so far everything is pretty great. Though I am more of a CLI guy, I checked out KopiaUI for fun and have messed around quite a bit with all of the options. Anyway, the one thing that kind of makes kopia a no-go for my use is that after initializing a repository in s3, it stores the access key and secret access key in plaintext in the user’s homedir. Is there a way to avoid this and to just pass it in at runtime? This way, it can be pulled externally from something like AWS secrets manager or Vault. Presently, if a client is compromised, an attacker could also delete all of the backups without much effort.

If this isn’t currently possible, would you consider it as a feature? Can you think of any workarounds in the meantime?



@jrdemasi not sure if you had a chance to review this:

He’s offering some workarounds to a similar problem + indicating this S3 specific issue will be looked at for future releases.

Thanks for bringing this to my attention! I’ve added some comments in your original post. In the meantime, for myself, I wrote a wrapper that strips the config file of my s3 creds and then pulls them from an external source at runtime. It’s not perfect, but it’s better than nothing. :slight_smile: