I’m new to kopia (long time borg user, but I need a way to backup natively to s3 for a project) and so far everything is pretty great. Though I am more of a CLI guy, I checked out KopiaUI for fun and have messed around quite a bit with all of the options. Anyway, the one thing that kind of makes kopia a no-go for my use is that after initializing a repository in s3, it stores the access key and secret access key in plaintext in the user’s homedir. Is there a way to avoid this and to just pass it in at runtime? This way, it can be pulled externally from something like AWS secrets manager or Vault. Presently, if a client is compromised, an attacker could also delete all of the backups without much effort.
If this isn’t currently possible, would you consider it as a feature? Can you think of any workarounds in the meantime?
Thanks for bringing this to my attention! I’ve added some comments in your original post. In the meantime, for myself, I wrote a wrapper that strips the config file of my s3 creds and then pulls them from an external source at runtime. It’s not perfect, but it’s better than nothing.
