And in future that process will not allow unencrypted backups. Or at least that is what they were planning.
Say the middle ground scenario described above gets put up.
I have 7 encrypted backups on my system and 30 on my NAS.
Oh shit! I need something from one of the older NAS backups quickly before I go out. Can I just open it?
No. No I can’t.
I have to upload it to HA, decrypt it then download it again. 
I have not seen any comments that imply this. That’s why I said
I’m really not trying to be a pain here, I’m trying to understand where you got this idea from. Because from my stand point, I don’t see this being implied anywhere in regards to the endpoints that addons use.
Just because the securetar library uses a cryptography library doesn’t mean it was used correctly. It uses the primitives part of the library, not a built-in recipe, which comes with a clear warning:
While I hold the HA devs in high regard, not sure I trust that they “are 100% absolutely” sure they know what they are during in this respect, because even the best get this wrong. Scanning the NC about us page, there’s no mention of “security” or “cryptography”, does anyone involved have any background in cryptography? If not, some kind of security audit of securetar seems necessary with this current implementation.
I would be very happy to be proven wrong.
that must be a bug then?
It is extremely rare to see a dev in the forums. They prefer the cacophony of Discord.
Thank you for responding - this is some reassurance that this need not develop into a damaging standoff between the more engaged users and the developers, and much of what you say seems reasonable.
However it does worry me that one of the most prominent concerns expressed - the failure to support unencrypted local backups - is listed last and as if a minority opinion. Also, as said many times above, the reason is not only about not wanting choice removed - though that is a reason - but also because it increases risk for users by removing straightforward access to their data in the not uncommon situation of needing a partial rollback.
I’d also point out this is coming from someone with a completely uncomplicated backup - just a manual backup to NAS before any risky change such as a software update or configuration change.
Maybe a new HA fork without encryption?
I think that there is a hyper technical issue here. It has to do with where data is unencrypted and free disk space. Currently, all the HA data is stored on disk unencrypted. When reading it for creation of an encrypted file, you would want the unencrypted version to only exist in kernel space and have the encrypted version in user space. This ensures that no “rogue” process can access the unencrypted version of the data during backup. Ignoring for the moment the access that exists during other operations.
Performing the encryption prior to writing the data ensures that only one copy of the data needs to be written. Supporting both encrypted and unencrypted versions will require twice the space and twice the time to write. I am OK with that but there may be issues on constrained systems.
As I write this, one more thought came to mind. If the HA data is ultimately encrypted on disk in a backup format, there is a really fast way to make a backup. Copy on write allow a complete local copy to be made of any size file in almost no time. This could be a planned direction.
Without information from the development team, all we can do is speculate. We don’t have to, but it is enjoyable.
Cacophony is a good descriptor. I just can’t use it.
it is not true. And would be nice to not use false information to support anything.
EU companies are obligated to do certain security measures. But for sure encryption is not an obligation everywhere, including backups. It all depends on overal system topology.
Sorry, but I had the conversation. I 100% know what frenck was saying. Any other interpretations of it are simply not correct. He answered the questions I was asking. He was not implying that encryption would be removed.
I was asking if the backend changed, and he was assuring me that it didn’t. He just said it out of order. Last in → first out. It’s a common way people talk on discord when answering multiple questions. Unlike a forum, where you respond in bulleted order.
I think several people in here also underestimate how heavy getting bombarded like this can feel on the people working on things.
Just because we aren’t typing doesn’t mean we aren’t watching. Please remember that.
I think the fear isn’t that the backend changed, it’s that it will/won’t change in the future. I think it’s clear that as of 2025.1, backups using the backend can function as they did in 2024.12.
My concern is that this will be deprecated in the future and we’ll be required to use the fully encrypted default.
This might all be part of the same misunderstanding, but it’s still not clear to me and maybe the userbase writ large that this is not going to change in the future.
That and the worry that the backup function before updates will never come back.
I’m not sure what to tell you guys other than what’s already been said.
I’m not concerned at all about the addons, I’m confident they will continue to produce unencrypted files into the future.
I’m confident there will always be a way to make an unencrypted backup.
I’m confident that the feedback here will lead to a system where automatic backups before updates will exist in some shape (though it may not be a question before each update).
First, I appreciate all the efforts to get to the bottom of this. I know it’s messy and can seem confrontational. But we’re all after the same thing, and these discussions have to happen before we can get to a point where we can work collaboratively. We all want the best for HA!
Part of the problem is, that’s all any of us have. A “feeling” based on the things we’ve seen.
We’re all trying to squeeze as much out of the of the few “official” comments as possible.
The solution is simple. An honest response which addresses the big questions head-on. If someone in a position to influence the decisions were to announce here that there are no plans to remove the option to leave backups unencrypted, many of these 700+ posts would be moot.
Because we read justifications as to why some devs think everything should always be encrypted, even locally. Then we hear that this is just the start of a much longer process, and that more changes are coming.
Isn’t it reasonable to assume, in the absence of any firm statements to the contrary, that those changes will be made in the same direction as this one (removing unencrypted options) and more in line with these pro-encryption attitudes?
You can always look at the future in the negative light or positive light. You’re in control of how you look into the future. You’re assuming the worse case scenario immediately, I can’t change that behavior and nothing I say will change that either.
You are both right and wrong.
GDPR is a complex thing. And violations are punished very harshly.
There is no doubt that a backup of a HA environment contains personal data that falls under the GDPR rules.
By ensuring that we can only upload encrypted data to Nabu Casa controlled cloud storage which Nabu Casa have no means to get access to, their liability and the controls that need to meet becomes endlessly more simple because it all gets reduced to our basic customer database (as Nabu Casa customers in general) and some digital blobs which any court will accept is not in any way processed by Nabu Casa. And by placing the storage in Europe they also ensure that EU citizens do not get the data (even encrypted) sent out of EU.
We must accept that Nabu Casa will need to insist that backups to their servers are always encrypted. I fully understand that. I am involved with ISO27000 certification in my company. It gets complicated very quickly and violations can cost Nabu Casa its life. So that one we have to accept.
I think the overall consensus with all the reactions is that most of us are good with that. It is the local storage and third party addons/integrations where we want to have the choice.
I do not think I will use the Nabu Casa cloud backup. But if I do I will want to select my own password (which you can do if you hack the password in .storage/backup). I put a random profanity based password there as a test and it works. But I prefer it is in the UI. You should never have to hack any files in .storage
