That’s correct!
Just started playing with the new Backup Scheme.
After upgrading to this release, make sure you do a browser refresh in order to see the new wizard.
Great job, but addon exclusion is still missing from the partial backup at the frontend and in the actions too. 
Immediately activated on both my systems. This was really a needed feature.
This is great!
So what’s recommended to address backups that are larger than 5GB?
I’ve had mine uploading to OneDrive for some time and believe mine are currently around 13GB…
It’d be great if the individual backup details showed you not only versions, but consumption for each component and add-on.
3 replies
It’s impressive how fast Home Assistant has progressed from “this is how we have to do it” to “this is how it should be done” and equally impressive how you all keep making that leap. Excited to see what’s in store for 2025!
Isn’t it possible anymore then to extract the backup files?
I didn’t upgrade yet, but I do this quite often too, to view my old yaml file when I want to check my old config
There is a python tool. Kind of hard to use. And they are looking into a possibility to make Thies easier.
“with the stupid mandatory encryption”
As someone who has been pushing for encryption in HAss backups for a long time, I disagree with the “stupid” part. Those backups have A LOT of sensitive info in them, and (especially when you have off-site backups, as you should!) encryption is essential.
True, it would be nice to have some kind of decryption utility allowing you to quickly extract just one file - but I am sure that will come along quite quickly, now that the encrypt/decrypt code is in place.
3 replies
As someone who needs a simple easy way to extract a file from a backup I’m going to stick with the “stupid” comment for now. The reason i call it “stupid” is because mandatory encryption did not need to be there for most of the base functionality (its only really needed for nabu case backups and yes it should be mandatory there)
And while a decryption utility would be nice in the future, that is only true if all the backups were not encrypted automatically with no way to disable it, that either makes a decryption utility mandatory now or makes the option to disable encryption mandatory in my book.
I’ll restate that having automated backups and and encryption are two very good things and a great addition to the platform, however the whole discussion around the feature is now turning in a b*** fest by encryption being mandatory (and yes i realize I’m doing that too)
1 reply
I do agree with you that there should be an option to disable the default encryption if you really want to. I am always a fan of people having options. And I do hope that the developers will add such an option in the future (with heavy warnings and “are you REALLY sure you know what you’re doing?!” confirmations, but… the option should be there).
However, once again I will disagree on the second part - it’s not needed “only” for nabu casa backups. It is needed every single time you replicate backups off-site, and many times even for local backups, if there are other people/apps that can access the backup location. Security by default is never a “stupid” idea (funny story - even the people at Elastic/ElasticSearch learned this the hard way 
)
[ Edited to add a link to another topic where I was actually requesting this feature of encrypted backups ]
I’m running HA as docker container.
I just set up an initial backup schedule, but it seems the only storage location is “This system” (i.e. local backup only), which results in a tar file below the HA config directory.
This is kind of useless for me, since I already backup the config directory separately.
Reading the announcement I assumed that I could at least specify a network location (e.g. samba share).
But there does not seem to be an “add location” button anywhere?
If encrypted backup is a very good idea, force encryption without decryption tool is very stupid !
Without decryption tool or the choice to not encrypt backups, i’ll not upgrade to this version !
2 replies
its needed “only for the nabu casa backups” because they are part of the release, everything else launched could function perfectly fine without encryption and cloud backup. i.e the user base would not have lost any functionality they already had but gained additional functionality. Is it needed functionality in general? absolutely its just came out too soon.
Backup encryption and nabu casa backups, could have come out as a separate release in 2024.2 or later which would have given the dev’s time to look at the feedback from beta and develop a better approach i.e. allow encryption to be disabled when required by the user, make it mandatory for certain destinations, or build the decrypt utility.
In fact i believe encryption could have (and probably should have) launched as an optional feature as part of 2024.1 if not for:
force encryption without decryption tool is very stupid
True. This (an offline, standalone decryption tool) is actually something that we do need, and we need it soon. Some people were mentioning a python tool already exists, but I am not sure what tool they were referring to.
And in this context (forced encryption without a dedicated decryption tool) I will even agree with the “stupid” term
Reading the announcement I assumed that I could at least specify a network location (e.g. samba share).
But there does not seem to be an “add location” button anywhere?
Settings / System / Storage / Add network storage. Once you add your network storage location, you will be able to reference it for the backups.
1 reply
Maybe it’s because of the containerized environment…
True, the external storage feature is only for HAssOS . But as the comments there say, if you are in containers, you can just mount any remote directory anywhere you wish inside the container - the sky is the limit
I am backing up with Add-on: Home Assistant Google Drive Backup will that continue to work as it has done until now?
And will the content of the backup stay the way it used to be unencrypted and with filenames that tell what component it comes from?
From my side all was said in other topic already. Just a conclusion: from 2025 version “backup” function is dead for me until “stupid” mandatory encryption is removed. I’ll find another way for this.
Just one light at the end of the tunnel: samba backup addon still works (so far…).
1 reply
On my testsystem Google Drive backup is unencrypted and working as before and also backup from the commandline is possible to do unencrypted.
Automatic backups in HA and to Nabucasa is encrypted.
So if only an official statement that the old api will stay there is no problem as I see it.
1 reply
The stupid encryption is the next step to leave HA for something else.
I configured the new Backup to only go to Cloud yesterday (10d retention, approx 300MB each) and am grateful for this valuable addition. Currently, as said in the ReleaseParty, the Nabu Cloud is the Backup of last resort and in my HA the existing SMB backup/purge Automation stays in place with 30d retention (good 10GB currently).
Super valuable extensions in my view would be the ability to
With SMB (unencrypted) I can browse and use the “Select what to restore”, I do not understand why browsing Cloud Backup from the HA GUI thows an “Unknown error”, shouldn’t it have the key …
Anyway - Rome wasn’t been built in a day - a very good start and as all existing Backup arrangements still work unchanged nothing should be broken.
Interesting, maybe my issue is related to updating then.
Same idea from my side, automatic backup is a good idea, but the timing must be flexible, for example I made my backup on a NAS that is shut off for the night!
In this way I can’t use automatic backup
Do we have the ability to browse encrypted backups and only restores say a single file (assuming you have the key of course)? That’s by far my biggest issue with the current system as I’ve had the Google drive backup addon forever and it is incredibly good (in fact I think still might be better than this new builtin offering though it’s def a good thing new users won’t need a special addon).
1 reply
I do agree, with may others.
The encryption on all backups is really daft, not being able to have the option to extract the contents is a step too far.
Just as an idea why not give the MANUAL setting an option to discard the encryption, this would then give you at least an option to check and see the content.
The way it is now feels incredible uncomfortable and vulnerable if I can’t be sure I can check the content and replace small portions and it would be useful if this addition was at least reversible in the core update.
The question is now, what should I do?
I think the answer is to reject this update until the Backup has been altered with options based on a user preference as I feel handcuffed with this version.
My proposal would be to do the update and either not use the new Backup config, all your existing Automations will be unchanged - or, as I did - only use the new Config for Cloud, as an additional in the 321 concept. If the Cloud Backup works fine in an emergency you won, if it doesn’t you are not worse of, as you are now.
1 reply
Well I have chosen to revert back to the last core version. I have done that on my test HA and all is OK so i am proceeding to do the same on my main HA installation.
I have just realised another disadvantage for me is that I use the share folder for carrying auto saved data for use in an external web page and I can’t even get at that either.
3.2.1 is such a great idea, but spoilt by being handcuffed
The whole point of the Open Source Home Assistant is that you have an option to change and develop a tool in the way that is best for you the user, but this is a retregrade step, forcing the user to select something that is unsuitable for their requirements. Perhaps the concerns of all of us that share these issues will bring about the reinstatement of a backup with more flexibility, until then I am forced to stick to the end of 2024.
1 reply
I also use the Samba backup add-on as well but I don’t know if it will continue to work with 2025.1 since it call’s HA’s backup service. Hoping to get more info on this option since I don’t want to use encryption either.
The team eluded to how some of us use the backups as our version system to find older files when needed, and not having access to them any more is a deal breaker for me.
I don’t mind trying to use a python decrypt script though; hopefully they will make that available upon request.
1 reply
But you can’t open the file from a saved local network location and browse the file to extract just one file or folder. Tell me how and I might re-install the update.
The time of the auto backup is an issue too as you can’t alter it
My current 3-2-1 involves using Restic to backup my Home Assistant backups. Once backup integrations are a thing, a Restic integration may be feasible.
Many backup programs like Restic offer:
Having all 3 managed by the backup program makes for “better” results across all 3. I hope the backup/restore integration architecture will enable a fully-capable backup to handle all 3 directly.
In pre-2025.1 HA, backups are tar of tars (up to 3 layers of tar and with compression on some of the layers). For these, Restic was not able to effectively de-dupe, so the data movement that comes with 3-2-1 backups was more than it could have been. To get around this, I wrote some scripts that unpack the HA backups and repack them if/when needed for restore.
With 2025.1, this repacking may not be possible. In the near term, I hope a “disable encryption” option is added, and longer term, integrations that enable fully-capable backup solutions to do their thing without friction will be great.
For now it still works. How long…noone knows, i guess…
So I ran a couple of tests to see if there was a way:
In one test, I used the “Backup Now”, which unfortunately still leaves the archive encrypted.
The second test, I used the Service/Action “Home Assistant Supervisor: Create a full backup”
action: hassio.backup_full
data:
name: Test Unencrypted2
This archive is unencrypted and the individual files can be browsed/opened.
3 replies
Thanks, that’s interesting I will have a play around on my test HA install tommorrow.
When I try to download (10MB/s) a 4.5GB Backup from the Homeassistant cloud I am getting an unauthorized error after 5 minutes. Maybe the token vakidity is a little bit too short?
I love the new backup feature as with that I’m getting rid of my current additional backup addon.
But somehow I only have HA Cloud as a backup location and not the local storage (aka “This system”):
any ideas why?
For me its not possible to set any number for backups and days as well.
It might be a browser problem. I do have latest FFesr.
edit:
This happens only at the first backup config at custom level.
Now I choosed the automatic settings and afterwoods I can change everything now.
Please provide an decryption utility so in case we can just extract a single file from the backup. thx
FYI, it’s not a stand-alone tool, but I was able to hack the code in HA here (backup_restore.py) to decrypt and extract a backup.
My hack for what it’s worth was to:
1.wget https://raw.githubusercontent.com/home-assistant/core/8a880d613468c27b51c066ae22365011960ef8af/homeassistant/backup_restore.py
2. Delete some stuff that wasn’t needed and didn’t work for me (HA_VERSION stuff, and fitler=). I didn’t investigate why filter= wasn’t working for me - maybe a version issue with my securetar. Patch text below.
3. mkdir /tmp/foo for where I wanted to test it out. This is hard-coded into the patch as restore_backup("/tmp/foo").
4. make a json file in that directory : /tmp/foo/.HA_RESTORE in the form that the backup_restore.py expects.
{
"path": "/home/pi/home_assistant/backups/8a24d68e.tar ... ie, wherever your backup is",
"password": "****-****... this is the HA backup encryption key",
"remove_after_restore": false,
"restore_database": true,
"restore_homeassistant": true
}
python backup_restore.pyThe patch:
--- backup_restore.py.1 2025-01-04 09:46:13.612253029 -0800
+++ backup_restore.py 2025-01-04 09:49:44.161357293 -0800
@@ -12,10 +12,8 @@
import sys
from tempfile import TemporaryDirectory
-from awesomeversion import AwesomeVersion
import securetar
-from .const import __version__ as HA_VERSION
RESTORE_BACKUP_FILE = ".HA_RESTORE"
KEEP_BACKUPS = ("backups",)
@@ -101,25 +99,16 @@
ostf.extractall(
path=Path(tempdir, "extracted"),
members=securetar.secure_path(ostf),
- filter="fully_trusted",
)
backup_meta_file = Path(tempdir, "extracted", "backup.json")
backup_meta = json.loads(backup_meta_file.read_text(encoding="utf8"))
- if (
- backup_meta_version := AwesomeVersion(
- backup_meta["homeassistant"]["version"]
- )
- ) > HA_VERSION:
- raise ValueError(
- f"You need at least Home Assistant version {backup_meta_version} to restore this backup"
- )
with securetar.SecureTarFile(
Path(
tempdir,
"extracted",
- f"homeassistant.tar{'.gz' if backup_meta["compressed"] else ''}",
+ f"homeassistant.tar{'.gz' if backup_meta['compressed'] else ''}",
),
gzip=backup_meta["compressed"],
key=password_to_key(restore_content.password)
@@ -130,7 +119,6 @@
istf.extractall(
path=Path(tempdir, "homeassistant"),
members=securetar.secure_path(istf),
- filter="fully_trusted",
)
if restore_content.restore_homeassistant:
keep = list(KEEP_BACKUPS)
@@ -182,3 +170,12 @@
backup_file_path.unlink(missing_ok=True)
_LOGGER.info("Restore complete, restarting")
return True
+
+
+if restore_backup("/tmp/foo"):
+ print("yay")
+else:
+ print("boo")
This Backup topic brings to the top of my head how I will deal with a possible disaster. Ok, I have a daily backup, now what?
If Home Assistant fails to start, I guess I will flash the SD from scratch, put it back and restore the backup (I have RPI5 + NVME SSD, with data moved to SSD and SO in the SD card). But how much time does this take? It’s not something I can do remotely, right?
Worst scenario is a hardware failure. Now what? Run to buy other Raspberry, or to install Virtual box/VMware and try to make it work, or just cry and apologize to my family.
I’m starting to think about a production environment and a restore environment (in my personal computer or buying a spare RPI? What about the ZigBee dongle?), and automate the most I can to switch as soon as possible and without much knowledge (maybe I’m not at home when disaster comes).
Interested in trying this but not fully sure what to do here. I grabbed the python code - do I just delete the lines you marked in red (- minus sign) and add your green lines? But also, what’s an example of what to put in a JSON file called .HA_RESTORE - that’s not clear to me.
Thanks for the work on this!
1 reply
Better than nothing but I want the ability to look at individual files. My most common case is I mess up one dashboard or say my template sensors yaml. So it would be amazing to be able to browse and view the file and just copy / paste it.
Being able to restore just core config without history I guess will help but it’s frustrating we cannot browse our own files with a password
Oops - “make a json” step - I see your example there. going to try this out when I decide to upgrade.
You can make an unencrypted backup by calling the action backup.create from the developer tools actions. (or by an automation)
OK then. How about "encryption which is enabled by default (because we all know we don’t read) but which can be disabled if the user wants to.
I create my own backups, including off-site storage following the 3-2-1 rule but I DON’T want encryption. I want to be able to read the backup and extract a single file from it if need be. I can’t do that now. Not with WinRar (7.01) and not with the extraction tool that comes with my Synology DS224+.
See my reply #49 above
The main “wrong” here is that dev’s obviously believe that backups are here for HA crash occasion only, which can’t be further away from truth. In all years of my HA existence i never had a HA crash yet (ok, call me lucky…), so i never needed a backup for this reason. But i did mess up a piece of yaml code many times, and extracting a piece of old working one from my backup saved me hundred’s of times.
1 reply
For those planning to use encryption a read up of this issue is recommended.
Not only is non standard used for encryption but it also may have unwanted side effects that may put the backups at risk of corruption if I understood the issue correctly.
Comment to prove I understood it wrong is welcome!
Shit, I upgrade to this stupid version and now it enforce the stupid backup encryption fuckery on me. How do I downgrade Home assistant?
1 reply
No one gonna hack a home assistant in another country, what they gonna do? turn on my light when I’m not at home?
Now there is another layer of stupidity where I can forget the key and I essentially lost all my backup forever.
This is just pure stupid.
I also want the backup time to be configurable. I currently back up HA so that the backup is done and in a location to then be backed up by a separate computer system with all my other data (and other backups are scheduled to be done by the time the “main” backup is performed). I’m not going to change all my backup times just because HA does it later than I need.
Please add this as an option.
ha core upgrade --version 2024.12.4
Thanks this is cool but I always encrypt my backups using the Google Drive addon anyway. It is absolutely incredible and has richer functionality than even this current backup enhancement. You should check it out. (You don’t need to do cloud backups).
So I’ve dealt with the opaque encrypted issued for almost two years.
I’m hopeful they will finally add the ability to browse and single-file restore from backups. It’s really frustrating we cannot.
No I don’t want to do that, surely it is a simple matter of a programing option to be able to change the time, after all there is an option to select a day, what’s the difference, why make it difficult, what’s the point of the restriction?
It’s just a pointless thing to have set in stone
Unfortunately, I have now updated to 2025.1 and am considering a downgrade (my fault, I must have misread the release notes or understood the heading “Encrypted Backups BY DEFAULT” as an option).
Am I summarizing this correctly:
Mmhh,
can I somehow create an automation that uses hassio.backup_full as the action and saves the unencrypted backup to a Samba share at a freely configurable time?
So the new “Backing Up into 2025!” function is on the verge of being unusable and I’m wondering what that has to do with “we listen to the users”.
1 reply
wmaker, your backup observation works for me.
I will update the Core to the latest version and setup an auto backup option that way, on my Main HA system.
Thanks, for your help
Great!
Then I can give it even a better name:
actions:
- action: hassio.backup_full
metadata: {}
data:
compressed: true
homeassistant_exclude_database: false
location: SynoBackup
name: >-
Backup with no encryption {{
state_attr('update.home_assistant_core_update','installed_version') }}
{{ now().strftime('%Y-%m-%d') }}
However, the name only affects the view in HA. The file name on the share then remains random:
There is a database purge at around 4 am, and this backup is designed to run after that. So there is a point to it. But you are right, it should be movable.
Also mentioned on the other thread, I do exactly that already. First of all, I maintain a copy of the “config” directory on my laptop, which I synch up as part of my routine backups. That in turn gets copied to the NAS, so there’s always another copy there. That’s backed up off-site.
But whenever I make a significant change to a .yaml file, I first copy the “old” version off to a dedicated directory, renaming it to include the date it was last changed. So I always have archival copies I can go back to.
In other words, I have no need to ever open the backup .tar file. I also have no need for it to be encrypted, but I think we’ve beaten that issue to death already.
For those that use the samba backup add-on, there’s a thread discussing these changes as related to that add-on here:
Off-site backups seem overkill for Home Assistant if you’re already storing the backups off-device.
I’ve got backups on device. I’ve got backups on my NAS. Something that kills both of those sets of backups will have probably destroyed most of the home or at least the electronic devices within. An offsite backup wouldn’t be useful because I’d be replacing so much stuff that it wouldn’t be helpful to do anything but restart from scratch.
Offsite backups are for things that are still relevant if the site is destroyed. Documents, records, family photos and so on. Not a home automation system that’s been tailored to a structure that’s going to need significant repairs if not a rebuild.
In any case, like many others, my primary use case for backups is rolling back if an update is broken (my fault for missing a breaking change or just a broken update to an add on or core), or digging into the file structure to recover an automation or dashboard view I want to revert to get the yaml for a copy-paste job. The encryption breaks that, and lengthens the process for restoring in the case where an update went bad.
Oh I’ve no intention if it already exists. I had no idea :). Thanks for the tip. I think I’ll be installing this pronto
I’m already feeling sad for all the users that will open a topic here, in full panic mode because they lost the keys to decrypt their backup. Either because they didn’t know they needed to save it, they deleted it by accident, they no longer remember where they stored it 5 years ago or the key was on the same system that had a failed HA running on it.
Hey guys!
I must say I welcome the new backup feature. It brings some functionalities that were missing previously. But it is not without it’s shortcomings.
The old backup feature only allowed you to create new backups. If you wanted to automatically purge backups that you no longer needed you had to figure that out yourself. I welcome the retention feature of the new backup feature which allows me to set a number of backups to retain or number of days.
This was an unexpected bonus. I usually create backups locally and than copy them to my NAS using the samba add-on. Now I could have synced that to a cloud service to adhere to the 3-2-1 best practice, but I never did. As I have the Nabu casa subscription this instantly took care of my offsite backup.
With the old backup feature I periodically removed the backups I no longer needed. But now that we have a retention setting I maybe even want to create hourly backups to decrease my RPO (amount of data loss). The retention setting makes sure these backups don’t fill up my disk. But unfortunately the current schedule settings doesn’t allow me to set hourly automatic backups. Also I find it really annoying that the backup time is now set to 4:45 with no way to change it.
I already had a backup that failed and I suspect that this is due to everyone uploading their offsite backup to Nabu casa which caused an unintentional distributed denial of service.
I read somewhere in this thread the 4:45 time was chosen because a scheduled database purge occurs at 04:00. It would be nice if this was configurable so you can align this with your backup schedule. Or maybe even have the purge triggered by a backup.
It would be nice if you have the ability to toggle encryption for those of us that don’t use a cloud service to store an offsite copy of home assistant.
Given the open nature of the home assistant ecosystem a documented way of decrypting the backup yourself is a must in IMHO.
1 reply
hm…
Those two are possible for a long time, using samba backup addon. But even without this addon saving to a attached network drive was possible before.
BTW… just 5 minutes ago it happened again: i needed a couple lines of my code from esphome’s yaml (yeah, i fu**ed up…wasn’t the first, won’t be the last…). I simply opened my backup (created old way) and copied old version back. This is not possible with new backups, as dev’s think it’s not needed, obviously…
Or just simply make the MANUAL BACKUP
(a slogan to remember)
1 reply
MANUAL BACKUP is still there but now it involves more mouse clicks vs old version. And of cause newly created manual backups are now encrypted
For your information, I now only use the automatic backups for the Nabu Casa cloud!
Since my VM just run full after 3 backups and no Option to Change time because my NAS ist off at night to save energy.
Maybe the time can be changed soon… then I’ll can use it for the NAS too.
But I also have 2 daily and 1 weekly backup at 3 different locations via Proxmox.
But my test HA (RPi4) hast effectly no automatic Backups:
And to make it even worse:
if you create it over the action its not encrypted (yet)
action: hassio.backup_full
In the previous backup solution, you could change the default storage location. I can no longer find this option in 2025.1.
As soon as an SMB share is entered in the basic HA configuration, it causes various problems with the user-friendly Samba backup. This could be avoided with the 2024.x version by changing the default storage location in the older (and better) native backup solution to local.
Does anyone know a solution for this? Otherwise, I would try to completely delete the SMB share in the HA configuration. It wouldn’t be a big deal, since the backups created by HA are encrypted and therefore almost useless.
1 reply
Fixed: I completely deleted the SMB share in the HA configuration (it was only used for the useless native backup anyway) and Samba Backup is running perfectly again. I’ll stick with it until the end of Samba Backup (which hopefully never happens)…
Fortunately, I now have unencrypted backups on the NAS again, which even have a descriptive name
