2025.1: Backing Up into 2025!

Communication with the website is encrypted not (necessarily) your comment or where it’s stored. Just saying

Correct. If the operator is considered a provider.
If I operate my personal data only, then I’m not the provider in terms of GDPR, thus I am not obligated to use certified software.

So as stated by me or Keneth, there is no need to force encryption until the case the service that stores my data requires that (ie backup to NC)

They have said the data is stored in Western region of EU, though there is no mention of this in any legal documents I checked, so yeah.

In general in regards to gdpr, I don’t think Nabu Casa really fully follows the regulations. For example, there should be clear info in the privacy policy about user right to access, edit and delete the data. There should be a gdpr officer assigned. And so on.

So I don’t think GDPR is a driving force in this whole encryption backup topic, at all. I think it’s about security and cutting corners, because they didn’t realize so many people used backups the way they do.

I believe gdpr is even more lenient, you are allowed by the law to process personal data of other people for your personal activities (like contacts in your phone) and you don’t need to follow gdpr about that, as long as it’s not commercial activity. I think this would also apply to your home assistant instance in your home, even if you had some personal data of other people in it.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#rct_18

Hi Kenneth. I love your Youtube channel.
In the release party video Paulus explained that Nabu Casa had ensured that their cloud provider stored the backups physically within the EU. There is a legal reason behind that related to strict requirements for anyone transmitting personal data from costumers outside EU. You are allowed but it requires a lot of red tape.

So, if the words hadn’t been used, this would be a “total food fight”?
(Sorry, I can’t resist a straight line).

Thank you Missy for stepping in and striking the right tone!

To clarify a bit since it’s been mentioned a couple times (and I absolutely appreciate everyone’s concern) - I am not currently working while sick, I took a half day on Monday and logged off early yesterday to recover. I am feeling significantly better today, with an awful cough lingering. (And at the time of posting this, currently not on my working hours! )

It doesn’t take that long to unpack a tarball, especially on a VM.

I was just going to suggest this when I saw this post. 100% agree.
Encryption might be required for remote backup, but on a local backup, it should be optional or at least be able to set your own encryption key.
I can see a scenario where I do a backup every night, then my HA crashes several years from now, and when I go to restore, I find out that I can’t remember or find my encryption key, and I have no way to restore.

I don’t think I’m able to remember the kind of key the encryption system is generating . What I would do is save it in my passwords vault (like Bitwarden, Keepass, …) and also print it and glue it near my HA server.

I do have a question, we have the ability to change the encryption key from the UI, is this process asking for the previous key? It’s like a nuclear button I don’t want to press ever.

The old key will be displayed when the change is made. However, you should be aware that the new key will only be valid for the new backups!

So, I nice recommendation would be to save the date of the key generation. And also never create other user with admin privileges…

• how often do you open your backup archives?
  Never, because I had not realised that I could do this. Once in a while (a few times a year) this could be useful in recovering a config/yaml gone wrong.

• How often do you need to restore your backups?
  To recover when a power outage corrupted by SD card, so system wouldn’t boot: A week ago
  To recover when system would not start after an update: Twice in the last year.
  To restore to new hardware or reconfigure boot from SD to NvMe probably 4 or 5 times in the last year.

I don’t encrypt my backups as they are stored on my local server only I will sit on the fence until I know where optional encryption is heading, so I wont update for a while. I’d like to use NabuCasa for a cloud satefy backup (encrypted of course) and I could probably live with local encryption but I’d certainly prefer not to have local backups encrypted, Its just one more hurdle to trip me up.

Also (and this is a very long thread, so I may have missed it) why aren’t backups created as part of updates any more?

Well, I don’t like the new backup behavior at all. But I have to admit that a) this recommendation is given directly in the UI and b) an admin can access everything anyway, even without the new backup system.

Thanks for the Feedback from the HA Team.
Given what happened happend, I understand that In-depth Feedback, Reverting and Adjustments take their Time. Technically, communication- and structural-wise. I take you all by the Words, that this is not (like others already pointed out happend unfortunatly before) an empty Phrase.

I appreciate all the Effort from everyone involved, and am sure everything is getting done with no evil thoughts in Mind. Take your Time to correct it good, not fast! And thanks for all your work!

I understand that even balloobs Response is not to be taken as a final all-covering Response or Statement. However, i have a Tension with one Thing, i just wanted to point out:

I don’t know where the Diminishment “Some users don’t like” comes from, and have the Fear that this Part of Feedback is not heard/saved correctly.

Yes, there are some Feedbacks that say they either like it or dont care. But if i read through this Thread, i would say the vast Majority has serious Issues with the forced Encryption. All reasonable arguments (e.g. enforcement, security and nonreliability) are in this Thread.
It is neither “Some”, nor “don’t like”.

I just don’t want this getting saved wrong, and leading to “some don’t like, but yeah well you all know how it is with Taste” in some weeks.
Please, take all the Feedback, and especially the forced encryption, serious.

That is a lot of text to say so little - and some of the “little” isn’t even true.

So there is a benefit of encrypting information in a file on an already encrypted harddrive/SSD - who would have thought!

I am very sure there are many that read the first few comments in this thread think like me:
“Ok, nice, new backup optios. This obvious bug that there is no way to disable encryption has been mentioned and the bug that backing up before updating addons aso. Let’s just wait until this is fixed and then update.”

Now after searching for this fixes in the changelog for 2025.1.1 I started to dive into this thread an now i read that this is intentional and won’t be fixed?

I cannot understand this and hope that there will ultimately be an option to fully revert this new system to the old way, if there will be no fix to these flaws.
It was not flashy or anything but it was very clear and easy and really worked well for me.

my backup Tars take a while on my PC and my PC is not no slouch, you have to add to that in a restore all those file have to go some place, I think its quick considering my backups are 3.6gb in tar format.

I do like to have an automated system to create backups, and also the cloud backup in NC. I expect new functionality in the future to change time or to create several automations with different configuration.

For example: one automated full backup setup to save in HA and in my NAS. And other automated partial backup setup, excluding InfluxDB, to save it in NabuCasa.

My concern about the other admin users is that they click the change key encryption button without having the consideration of communicating and saving the new key.