In the current version the config file stores the repository password in cleartext.
Are there any plans or time line when this bad situation will be solved ?
It would be a simple solution to just encrypt this entry with the Kopia password.
Windows 11 Home x64 Version 22H2 (OS Build 22621.1344)
KopiaUI 0.12.1
This of course depends on if you want to be able to make unattended backups or not.
If you encrypt the pw, then someone needs to feed this pw to unlock it. In order to make unattended backups, you would need to stash this second pw somewhere. And then you could just steal or abuse this one, so it should be protected… and so on.
There is already a stored Kopia password with no need to enter it after the first setup.
If this password would be used to encypt the config no one can read the config
in the file system but Kopia still can use it because it has the key to decrypt it
Only if I want to change something in the config file by hand I have to decypt it.
I just meant that if you have one stashed password that can be used to unlock the second pw, then both are practically unlocked. You could encrypt the second as hard as you like, but if kopia already has all the code to undo the super-encryption then an evil file-reader will read out the super-encrypted repo key, and the easy-to-get kopia pw and run the same decrypt code and get the repo pw anyhow.
Good point.
But with current solution an intruder even doesn’t need any software
as the config file is stored in clear text.
Such bevaviour will never survive an security audit.
If someone steals your repo-pw and … does not download kopia to abuse it, then you are safe, are you not? I mean, the evil person who stole your cleartext pw but can’t figure out what program it goes to, would still mean all your data is fine.
Not that anyone thinks it would be hard to download kopia from the internet, but if that is what is “protecting” me, I’d rather have it in clear text and know it needs to be kept from prying eyes, than think it is safe when it is not.
Well, having dealt with some audits already, I can assure you, that you will even have a hard time to get an auditor to regocognize Kopia as a viable app for backing up in the first place.
So the first and foremost thing is to secure the platform, where either Kopia Server is running on. If you do want any kind of unattended operation, you are bound to have the repo pw somewhere in the chain. Be it in the startup script or the config file. Since, there’s no way around that, we always add those systems to our risk analysis spreadsheat - which is reeeeaaalllyy long, by the way, and declare risk acceptance for those.