I’ve just noticed today the beta plans with improved backup setup.
Does it have to be encrypted? As HA is local-privacy-first setup, encrypted backups are just inconvenient.
Will it be optional to enable encryption, or is it mandatory?
If i understood (read) correct they will be mandatory. It annoys me, too, since it’s unnecesarry (for me).
This should be made as option.
16 Likes
Saw that as well. I’m all for HA supporting security options but it should not be forcing any of them on a user. Security happens in a context and HA has no idea what that context might be. This should absolutely be optional even if it defaults to on.
12 Likes
Well, i won’t be using this function (yet) anyway. Why? Because it’s uncomplete - i have samba backup addon installed which makes regular backups inside HA and also automatically copies these backups to my local NAS. I don’t have, neither want backups to be in anyone’s cloud, even if it’s nabucasa (and why would i, if i have my own…). Nabucasa doesn’t have enough space for me anyway (5GB, i have daily backups of 50-70GB total size - ok, call me paranoid…).
For now only option in 2025 beta is nabucasa, as they say they rely on others to write addons for other options/locations. That can take time…
Same is with new history: although i greatly appreciate effort i won’t be using it yet until it won’t be fully functional. For now you can enlarge and slide left-rihgt, but only within shown 24 hours, you can’t go back days, weeks… I guess i’m too spoiled with history addon…
But, it’s happening, so thanks to all who develop these things!
5 Likes
This is not entirely true. It has been possible for some time now to add network resources (i.e. network drives) and do a direct backup to them. The advantage being that if your HA instance drive is corrupting, it will not attempt to write the backup to the corrupt drive before uploading like the samba integration does.
So, if you add a network drive, pick it as your default local backup location and turn off Nabu Casa backup in the new functionality then you would no longer need the Samba addon. With the beta, you can independently select local, network drive or Nabu Casa cloud. So I think the new functionality is complete enough, if you can live with the encryption (which I am not too fond off either, having been faced with a backup I could not decrypt, even when I thought I had the key back then).
Not entirely true. SAMBA backup lets you choose different numbers of local and remote backups to keep.
It does not encrypt the backup unless you tell it to. Unencrypted backups are handy for reverting small changes without restoring a backup by using copy and paste from the archived files.
It also has a sensor so you can notify of started / succeeded / failed backups.
The new system can’t do any of that.
Having said that, SAMBA backup’s days are numbered, see https://github.com/thomasmauerer/hassio-addons/issues/197#issuecomment-2562366082
6 Likes
By the way, from what they’ve said so far, the devs are not planning on providing unencrypted backups, ever.
A new integration would have to decrypt the backup before saving it on your NAS if it provides the option for unencrypted backups. Which to be honest is rather stupid. Lots of wasted effort to encrypt then decrypt straight after. Not to mention having to store the key on the system for this to work 
All they have to do is provide an encryption option switch for the yet to be implemented backup.create service/action, but nooo, that’s too difficult apparently.
21 Likes
What i use more than whole restore is something from any single file - either something from esphome’s yaml, or templates, or… things like that. In this case it really helps if backup in on my local nas.
Ok, now backup is zipped, so when i want to extract a file whole thing is unzipped to temporary folder anyway, so i think that only difference now will be that it will be unencrypted at the same time.
Tom, you’re correct about samba addon functions. HA’s option aren’t there yet.
I’ll try with HA’s network drive again. I remember when it came out in 2023 i tried it (with share on synology nas) only to find out that it was pretty unreliable. I didn’t test it after that, so i hope/expect that it’s ok now.
I could imagine we could have more backup setups, some encrypted, some not. And on the backup.create one could provide the backup configuration to execute.
What, Samba backup days are numbered? where can i sign a petition to save it?
2 Likes
Like i said; it was back when it was introduced, i didn’t test it anymore after that. But, thanks, it’s good to hear that it’s rock solid now. That means i’ll be able to use it.
This sounds like an over/misread of a security audit.
It would also fail recoverability. If the user does not have the key (assume they won’t) they get locked out of what may be thier only way back.
I would default it on. as new feature default secure. And highly recommend- but give the USER - role backup admin /superadmin the ability to flip that checkbox off. (roles?) with a big red box saying hey it’ll be unencrypted but if yojr backup gets hacked that’s on you (in better language of course)
Maintains both secure by default, allows for transfer of responsibility if someone gets hacked through the backup (this smells of hundreds of feature arguments I’ve been in, yes I know someone somewhere wants to protect the fort just give a reliabile point where you can say they did it themselves - it’s thier darned environment… ) and respects user settings. IMHO.
(edit :and I totally agree with not allowing the encryption flag to be turned off in saving to cloud stores but this still requires selectable at service call…)
11 Likes
I played a bit with this new backup. I succesfully created a share on my Syno and created backup.
BUT… here comes “a problem”: backup is in .tar format, and at first it seems the same as old backup. First extracting goes without any problem (also without asking for a password!), inside there are a bunch of “tar.gz” files (same as in old backups). But, when i try to unzip “homeassistant.tar.gz” it fails, saying it can’t be opened as archive.
I use 7-zip manager for this, and i expected that it will ask me for a password, but nope…just error.
So, what format is it? If it’s any custom version then it’s even more useless (for me), since i mostly need my backups to extract a pieces of my old code, like things from config, templates, sensors… anything i tried to improve, but failed to do so, and also failed to make a backup before messing with it… So i find a file, open it with notepad and copy/paste old version. Can’t be much simpler…
1 Like
It is possible to use Google Backup without copying to Google and save it local without encryption. I tested on b2 on my test rpi. Hopefully they will not block that addon.
That’s old… if annoucements about mandatory encryption are true all these addons will stop working in January.
I installed “samba backup” on my 2025.01 test setup, ran it, and it still works - it creates UNencrypted backup file. So, perhaps all hopes are not lost for this addon. 
Normally I go with the flow on HA development as there are much smarter people than me steering this project.
I would, however, be seriously concerned if I was forced to have encrypted backups. As has already been mentioned, have it has a default but let us turn it off if we want.
I want to be able to browse a backup and retrieve a previous version of script/config etc. without involving a painful process.
~B
8 Likes
I don’t usually involve myself in beta conversations until at least 5 months after features have been introduced and ironed out, but this seems to be a massive breaking change.
Nathan’s suggestion seems to cover all bases. Judging by how long I’ve been reading his posts, he knows his shit stuff.
I’m absolutely fine with making encryption as a default (similar to how you get recommended to do a backup on every upgrade, no matter if you just backed up a minute ago). But PLEASE, do leave the option to save your backups unencrypted.
I really don’t want to say “I told you so” 3 months down the line when this onerous change is reverted.
11 Likes
This is really bad News. Shock.
Most of the Time, I use Backups to
- Extract and overwrite a yaml/config
- Duplicate Productive System to Dev System
I have my Backups -for Privacy and Security Reasons- Local on different Locations. Frequently, partially, less frequently full, with Auto Backup.
I really, really Hope I will not be forced to use a Way less configurable (thus highly increasing storage or less frequent Backups) Backup, that takes more CPU, where i always have to cross fingers that the Restore Key works, is never lost, and is definitely inconvenient to handle.
If it really needs to be baked in and forced, that Nabu Casa Cloud users have their backups automatically uploaded - make it mandatory for them to encrypt the Backups.
Please, please provide an Option to Opt-Out.
9 Likes