2025.1: Backing Up into 2025!

Encryption can be understandable if its for backing up to the cloud. But when storing backup’s locally it should be perfectly fine and possible to do this. Had it been in kindergarten, perhaps…

I have just updated to 2025.1.1. As already known, there was no request to make a backup before start (I did this manually, of course). Thank you for the great development. If the development continues like this, the name should be checked again. Home → fits / Assistant → I’m not sure

what about creating backups unencrypted locally every time, then crypt them only for the sake of uploading to the cloud?

Viruses are quite good at finding and exfiltrating credentials.

You know that the credentials are stored unencrypted on HA system (e.g. .storage>core.config_entries)? Where do you see the difference/reason to have to backup e.g. on the same system as local backup encrypted?

Your creds on HA are NOT stored encrypted. The minute someone has access to your HA box. They OWN it. They won’t go for the backup they’ll open a secrets file. There is no additional value to securing the backup if it’s never moved. If it needs to move off premises then best practice says it should be in a secured envelope (digital, physical or otherwise) but on my server it’s redundant and dangerous if I cannot access the file unfettered.

I’m curious they are silently reading us and learning, or just giving a heck.
What we are writing is as obvious as breathing

I suspect most of the core team are at CES 2025 and oblivious.

Update: direct link to Fosstodon not via Mastodon

I actually believe that CES is going on this week and most are walking the show floor…

What I BELIEVE is happening is the team honestly wants to do good and provide a good tool.

So someone says secure by default! Great!

The reality of encryption and Europe are biting them in the butt. If they can open it and have it they must produce files on demand in some countries… Not so good. So hey what if we never see it unencrypted…

Nabu is clean from providing info in someone’s backup to a governing body if they can prove they never see the files unencrypted. Ok i get that that’s why they never want an unencrypted file.

But that’s Nabus problem to solve NOT the Supervisor. I think someone has the bright idea that of the backup is never in the clear then they’re good from European decryption edicts. (debatable and still not advisable)

The problem is they’re not. The only way they get that is if they encrypt the user volume the backup is stored in and never get the key (how secure enclaves work on other cloud platforms.)

Solve the encryption problem whwre it needs to be solved. Not on my computer where I don’t need it.

Exactly all of this.

I have also been following this since the discussions in beta, and have been avoiding commenting because there’s (justifiably) a lot of noise already. Frankly, I had hoped there’d be some listening to the feedback and a way out that would allow the core team to save face while backing away from this position. That said, I agree about not letting those who speak out stand alone.

We now appear entrenched in a no-win situation where there is no possibility of a climb down because the users are ‘just doing it wrong’. It’s disappointing, but let’s not pretend we haven’t seen projects come to this point before.

573 comments and it feels like at least 500 are saying that they do not want to encrypt backups - when stored locally in the home where HA is used.

It seems that every reason, why a lot of users want it that way, has been mentioned.

So let’s turn this around!

Can somebody bring a good reason why a file that lives on my SSD, in my house should be encrypted?

Maybe we just don’t see the value because we are too narrow minded - so please bring forward some arguments - and maybe that will bring people around?

Well, from a product management perspective this is exactly how it SHOULD work (aka: listening to stakeholders)

I know that the product people at NC are highly motivated, and the recent mega-survey (no irony, i enjoyed the thoroughness) is a good example that they overall care about doing things properly. So as i can rule out laziness and lack of interest, it leaves me with these 3 options for what is happening:

1. a vocal minority doesnt like the change, while a huge quiet majority likes it or doesnt care. Typing this i would wanna rule this out as well, as the ones for whom backups are important and know how to deal with them are probably all in this thread by now

2. undisclosed legal or business reasons that make encryption on the NC servers a strong necessity (which i would get).

If I go with option 2), then it all smells a bit like massive timepressure to a) offer this as a NC feature and b) have it done in a way that is not putting NC between a rock and a hard place when the authorities knock on NC’s door to request data…

P.s.: There is technically an option 3), which would be about “general stakeholder management vs dev capacity”, but I’d rather not go into that…

Ahh, OK. That would give them a plausible reason not to be here, answering the barrage of legitimate questions the community has. I’d rather believe that than think they’re intentionally absent.

Now, is anyone else attending who could swing by the HA booth, or get in front of some influencer’s camera, and bring this issue to the attention of anyone who might listen? Just a thought.

If that’s the case, they probably shouldn’t have rushed out an update

(Signed up to make this comment)

Using a private git repo may be acceptable for storing secrets - not all repos must be replicated outside of the LAN. Still has the advantages of version control including fallback. And this repo could be replicated somewhere else in the LAN, like NAS, since .git is just text (generally).

My personal use case (HA docker user here): git repo in the HA/config directory that I choose to replicate to a private repo on guthub. This may not be an acceptable security stance for others but this meets my needs well. My actual backup needs are met by a nightly Proxmox backup of the VM running docker. Thus and so: granular restores of config files = git, full rollback of entire OS along with all configuration and data since last backup = proxmox.

For the topic of this thread, I think forcing encrypted backups will mean a large percentage of restores will end up failing because of lost encryption keys by the average person. Just my opinion. In my IT career I have often said, “Backups don’t matter - only restores matter.” I have seen many events where someone ‘could have sworn’ they had a good backup system in place…until they actually had to restore something especially during a full blown disaster (or comprehensive test event of one).

Please be constructive in your criticism, i got increasingly depressed reading this thread.

I don’t want to be left out and I’m joining this minority (maybe). I also don’t see any point in encrypting backups in my local storage and I fundamentally reject it and I’m glad that for now Samba Backup works as I request and sends scheduled backups (unencrypted) to other HW in my local network.

Yeah I noticed that yesterday after I had moved a ton of backups to my NAS and deleted them locally. I had to copy them back and manually select about 150 backups to delete them. Note - I couldn’t just check the 1st select box, go to the last box, hold shift, check the last box, and have them all filled in like I can do with other stuff like many of the 'arr programs. That was painful in both instances.

Nice update except the backup part.

I’m against the encrypted part as the backup take already a long time to be done on my little raspberry.

• I had to look in the backup when an update messed up something or had to check if a parameters changed by accident.
• I only do that when working on enhancing my setup so no more than twice a year or when something fail.

For me the main issue is the loose of the partial backup checkbox before updating. The fact that the latest version enforce it is troubling. Why removing this feature ?

The lack of concrete answer to all these concerns (despite the amount of participants) is also troubling (but i can understand that if they are at the CES… But why pushing an update just before leaving the office?)

And sorry but you can’t call this a MVP when the previous version or existing addon (thank to the google drive addon dev!) are doing it better and you are removing existing features without real consent.

This new backup feature should not have been planned for January release, tested during normal days (not holidays!) and the existing and legitimate feedback taken into account.

It’s not the first time this situation happen. Love the work of the devs, love the project but until we get a real answer, I will maintain my NabuCasa plan cancelled.

It’s sad but my experience tell me it’s the best way to be heard.

Reminds me of when Canonical tried to make Ubuntu look like Windows by forcing that Unity desktop as the default. I wonder how many users switched Linux distributions (besides me) when that happened? I went to Mate, and am now migrating to Mint as I have time (I have probably 10 or so Linux servers and VMs).