My one gripe about #kopia, an otherwise fantastic backup tool, is that it stores its passwords in cleartext files. (Everything it puts into storage is encrypted; go figure.)
Anyway, you can encrypt the files it uses (once it creates them) with #openssl and never put them on the filesystem again.
#!/bin/bash
ENCRYPTED_FILE=/root/.config/kopia/repository.config.aes
DECRYPT="openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -in $ENCRYPTED_FILE -pass pass:$KOPIA_PASSWORD"
kopia snapshot create --no-progress /path-to-backup --config-file <($DECRYPT)
This uses process substitution to pass a file descriptor as a command line argument (e.g., /proc/204638/fd/pipe). The output of the openssl command will be written to the file descriptor and can be read until the kopia command exits.
You encrypt the cleartext file using the same openssl command without the -d.
The script above is invoked via ssh, which passes in the KOPIA_PASSWORD environment variable:
ssh root@host KOPIA_PASSWORD=password123 /root/.config/kopia/backup
It’s still there if a hacker were to look for it, but it would take a fair bit more effort to find it.