Keyring is unfortunately unreliable on Linux (as you discovered) so it’s disabled by default.
I’d recommend the following options:
-
Get
dbus-launch
installed on your machine, but configuration of that may be non-trivial without full desktop environment. -
(Do nothing) and have kopia persist base64-encoded password in local file. The file is only readable by the user that started Kopia and
root
which is generally assumed to be trusted. Storing plaintext credentials in files under user directory is not great, but quite common on Linux so this would be no exception and depending on your security needs may be appropriate (typically encrypted disk + strong local password + locked down remote access provide reasonable security even when attacker gets physical access to the machine, but there’s really not much that can be done against really sophisticated local side-channel attacks). -
Do not persist passwords at all on connection (
--no-persist-connection
) and instead always pass password manually usingKOPIA_PASSWORD
environment variable or via--password
flag.
You can retrieve the password using some external command like so:
KOPIA_PASSWORD=$(my-password-command) kopia snapshot create ...
NOTE that
~/.config/kopia/repository.config
may still have some credentials (e.g. S3 access keys) and is currently not locally encrypted. Same argument can be made as for #1, but will try to fix that in future versions by encrypting this file with theKOPIA_PASSWORD
-derived key.
- Help improve Kopia by submitting PRs that will integrate with other key stores (such as https://www.vaultproject.io and others)