WebDAV backend on Windows stores cleartext password; rclone encrypted config works but Kopia repo stores plaintext

llw1019x · January 20, 2026, 6:06pm

Description

I am using Kopia Desktop/CLI on Windows, connecting to Koofr via WebDAV for backups.  
The main issues I encountered are:

1. Kopia's WebDAV backend stores the account credentials in cleartext inside repository.config.
2. Using an rclone encrypted config as the backend works in the UI, but credentials security still depends on rclone.  
   The CLI cannot connect if the rclone master password is not automatically provided.

This raises a security concern because repository.config contains plaintext credentials that could be accessed by unauthorized users.

Steps to Reproduce

1. Install Kopia Desktop on Windows.
2. Create a Koofr WebDAV account and prepare a remote folder.
3. Add a repository in Kopia Desktop/CLI, select WebDAV backend, and enter your account credentials.
4. Check the repository.config file, which stores the credentials in cleartext.
5. Optional: Create an rclone remote (encrypted config) and let Kopia use the rclone backend.  
   The UI works, but the CLI fails to connect if the rclone master password is not provided.

Expected Behavior

1. The WebDAV backend should not store account credentials in cleartext in repository.config.
2. When using an rclone backend with an encrypted config, both UI and CLI should be able to connect securely without storing plaintext credentials in repository.config.
3. Provide a secure method to manage WebDAV or rclone credentials on Windows.

Actual Behavior

- On Windows, the WebDAV backend stores account credentials in plaintext inside repository.config.
- Using an rclone encrypted config works in the UI, but the CLI cannot connect if the master password is not provided.

Environment

- Kopia Desktop version: x.y.z
- Kopia CLI version: x.y.z
- OS: Windows 10 / 11
- WebDAV provider: Koofr
- rclone version: 1.XX (encrypted config enabled)
- Repository type: WebDAV / rclone backend

kapitainsky · January 20, 2026, 7:48pm

Very unlikely that it will change IMO. You just have to live with it as it is and I am afraid that at this stage it can be just theoretical discussion about kopia design decisions taken long time ago.

From practical perspective what you should do is to make sure that you use full disk encryption and secure account login method.

Topic		Replies	Views
Rclone remotes not working:WebDAV and SFTP Support	4	794	February 2, 2023
Cannot create webdav repository due to error Support	3	494	August 1, 2021
How to use the credentials stored in the keyring/credential manager? General Topics	16	1135	December 16, 2024
Kopia with encrypted rclone config General Topics	13	468	June 11, 2024
Migrating a kopia server to docker General Topics	2	498	February 25, 2023