Hi all, new to Kopia, I like what I read so far and been trying it out on several clients. However, I ran into what I think is an issue and unsure on how to resolve.
On my Unraid box, after I created the repo, I noticed it stored the password in base64, under /root/.config/kopia/repository.config.kopia-password.
That was without the --use-keyring option (shouldn’t it using keyring by default?). When I tried with Keyring, it gave me:
kopia: error: unable to connect to repository: error connecting to repository: unable to persist password: error saving password in key ring: exec: “dbus-launch”: executable file not found in $PATH, try --help
On one hand, I am not sure how to validate if Unraid can use dbus-launch and would love to have credentials stored securely, but I am also concerned to see credentials stored in what is effectively plain text, i.e. base64.
Would someone have an insight into that? Thank you in advance!
Keyring is unfortunately unreliable on Linux (as you discovered) so it’s disabled by default.
I’d recommend the following options:
-
Get dbus-launch
installed on your machine, but configuration of that may be non-trivial without full desktop environment.
-
(Do nothing) and have kopia persist base64-encoded password in local file. The file is only readable by the user that started Kopia and root
which is generally assumed to be trusted. Storing plaintext credentials in files under user directory is not great, but quite common on Linux so this would be no exception and depending on your security needs may be appropriate (typically encrypted disk + strong local password + locked down remote access provide reasonable security even when attacker gets physical access to the machine, but there’s really not much that can be done against really sophisticated local side-channel attacks).
-
Do not persist passwords at all on connection (--no-persist-connection
) and instead always pass password manually using KOPIA_PASSWORD
environment variable or via --password
flag.
You can retrieve the password using some external command like so:
KOPIA_PASSWORD=$(my-password-command) kopia snapshot create ...
NOTE that ~/.config/kopia/repository.config
may still have some credentials (e.g. S3 access keys) and is currently not locally encrypted. Same argument can be made as for #1, but will try to fix that in future versions by encrypting this file with the KOPIA_PASSWORD
-derived key.
- Help improve Kopia by submitting PRs that will integrate with other key stores (such as https://www.vaultproject.io and others)
Thank you for the detailed explanations and offering several choices! Really appreciated!
I’d +1 not storing creds in the file and just having an option to ONLY pull them from an env var or something at runtime. In particular, I don’t even really want to password protect the files, I just don’t want my aws credentials in it if at all possible.