Why?#

Who doesn’t want to backup all their stuff, that is:

  • Fast
  • Reliable
  • De-Duplicated
  • Has all the encryption, scheduling, and tons of extra bells and whistles?

Well, Synology Synology Active Backup for Business (ABB) has all of it, that I use to back up all my Windows and Linux devices. However, on M-series MBPs, the ABB agent requires installing Rosetta. I don’t want to do that, and so far I’ve managed with Synology Drive Client and other approaches.

The downside is that I miss out on the niceties of deduplication and compression, which wastes space and bandwidth. I went looking for an alternative and found Kopia, which fits my needs well.

Kopia is powerful and highly configurable, but I found the install steps a bit confusing across the docs, so I documented exactly what I did.

Synology (Kopia Server)#

  • Kopia can also work without a server, by exposing an SFTP or SMB share from Synology to the Kopia client running on the MBP.

    • However, I dislike exposing file shares from my NAS: it increases the attack surface and (without a server) increases the load (CPU/network) on the client machine. A server also brings advantages like shared resources and deduping, abstraction of the storage backend, finer ACL control, and more.

  • Synology doesn’t have a native Kopia app, so I ran it via Container Manager (Docker). I followed these steps (all on the Synology DS720+ NAS, except where explicitly mentioned):

    • Install Container Manager (CM) from the Synology app store.
    • On CM’s Image tab, download the kopia/kopia image with the latest tag.
    • On CM’s Container tab, create a new container with these settings:
      • Image: kopia/kopia:latest
      • Container Name: kopia-kopia-1 (you can choose anything you want)
      • Enable Auto-restart to make sure the Kopia server is always running
      • Port mapping: 51515:51515 (TCP)
      • Create folders for Kopia and set up permissions (choose any base folder; I chose /volume1/Backups):
        • /volume1/Backups/kopia/config:/app/config:rw
        • /volume1/Backups/kopia/cache:/app/cache:rw
        • /volume1/Backups/kopia/logs:/app/logs:rw
        • /volume1/Backups/kopia/repository:/repository:rw
        • /volume1/Backups/kopia/tmp:/tmp:rw
      • Add the following environment variables:
        • KOPIA_CACHE_DIRECTORY: /app/cache
        • KOPIA_PASSWORD: generate a secure password for your repository and set it here
        • KOPIA_CONFIG_PATH: /app/config/repository.config (Kopia will save repository config here)
        • KOPIA_SERVER_USERNAME: set a username for the Web UI basic auth
        • KOPIA_SERVER_PASSWORD: set a password for the Web UI basic auth
        • KOPIA_SERVER_CONTROL_USERNAME: set a username for the server control commands
        • KOPIA_SERVER_CONTROL_PASSWORD: set a password for the server control commands
      • Optional: generate TLS certs for an HTTPS connection:
        • You could choose to run without TLS using --insecure in the server command since this is only for your internal network, but I like to do HTTPS everywhere.
        • You could also use Kopia server itself to generate self-signed certs, but you will have to create/run a separate container with a different command for this; otherwise it will always generate certs.
        • Run the following commands in order and upload the generated files to the kopia/config folder:
          • openssl genrsa -out server.key 2048
          • openssl req -new -key server.key -out server.csr
          • openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
      • Update the Execution Command to:
        • server start --address=0.0.0.0:51515 --tls-cert-file /app/config/server.crt --tls-key-file /app/config/server.key
    • Start the container and navigate to the Web UI at https://NASIP:51515.
      • Use the Web UI username/password from above to log in.
      • Click Repository -> Local Directory or NAS.
        • Enter directory path as /repository and click Next.
        • Set the same password here that you set as KOPIA_PASSWORD in the environment variables.
    • Open a terminal window for the container via Container Manager and run kopia server user add <someusername> to create a user for your client machine.
      • Set a password when asked.
      • Restart the server to make it take effect.
    • Optional/Additional TODOs:
      • ACLs if you want to back up multiple users/hosts on your network to the same server
      • Use Let’s Encrypt instead of self-signed certs

MBP (Kopia Client)#

  • Install Kopia CLI or GUI (I’ll use the GUI here).
  • Generate the SHA-256 fingerprint of the server cert:
    • openssl x509 -in server.crt -noout -fingerprint -sha256 | sed 's/://g' | cut -f 2 -d =
  • Open Kopia GUI, go to the Repository tab, and click Kopia server.
    • Enter the Web UI address from above.
    • Enter the hash from above.
    • Click Next.
  • Enter the username and password you set for the user on the Kopia server.
  • Click Connect.
  • Finally, set up a policy (or policies) for the folders/files you want to back up. This can get very extensive, so read the Kopia documentation for this.