Add password protection to automated OS backups

In the manual backup UI there is option to encrypt them, but there is no such option in the automatic backup what happens regularly and on updates. (Or I haven’t found them.)

Could auto backups be configurable?

Ideally also frequency and excludes.

If you think it’s a good idea, you should vote for it. I did :ballot_box_with_check:
Suggested Reading:
More about Feature Requests.

You should be aware that encrypting your backups, while sensible from a security perspective, makes it a lot harder to recover individual files from a backup to repair a system without doing a full restore.

The backup first has to be decrypted using a python script you can find on this forum. You can not just enter the password into whatever decompression software you are using to attempt to read the file.

1 Like

I found this thread while searching for a way to do this, because I really could not believe that such a basic feature was missing.

@tom_l - yes, it does make it harder to restore. As a general rule, security features do make some tasks more difficult. Does that mean we should ignore security altogether, because they sometimes hamper usability??

Backups should be replicated to multiple destinations, archived for long times with multiple versions, etc. These tasks can be problematic when we do not have any sort of encryption for the backups.

I know this is “home software”, not enterprise. But that does not mean that we should ignore basic security.

Nowhere in that post did I say you should ignore security. Please don’t necropost words into my mouth.

Do not get me wrong, please - I appreciated your advice about the steps needed for decryption, and I did notice that we both agree on the fact that encrypting backups is “sensible from a security perspective”. However, when you continue with “this makes it a lot harder to do X and Y”, you will discourage people from following some basic security best practices.

Hence my comments, directed less towards you, and more towards the community at large. I know this was an old thread (and my apologies for the necroposting), but it is literally the first result when searching for “backup encryption” / “backup password”.

[ Edit: also, this problem still exists -even 11 months later, there is still no way to encrypt automatic backups in Home Assistant ]

Depending on how you run HA there’s a lot of products - some even free - that do this. I don’t use the built in backup but rather a third party software that gives me backup ranging from full machine to single files, encryption, off-site immutable storage and so on.

@fleskefjes - could you please mention some of these products? I have been relying on the built-in backup functionality (plus VM-level backups, but that is a different story).

I am currently running the OVA as a VM, but I am in the process of moving to HA Yellow.

If you move to dedicated hardware it may be harder to do. I use Veeam.

Thank you! Indeed, I use Veeam as well (for the full VM-level backups I mentioned earlier). But with the move to dedicated hardware, I was looking for an alternative. Hence my sudden renewed interest in HAss backups :slight_smile:

Any particular reason you are moving off virtualization to dedicated hardware? In my opinion virtualization gives you so much more possibilities.

Ease of management, mostly. For example, it will be much easier to have the HAss hardware run on PoE from my main switch (with redundancy, UPS backup, etc), rather than worry about ensuring power redundancy for yet another device.
[ Edit: that, plus a move away from VMware, now that free ESXi is gone… :frowning: ]

True, virtualization is more flexible, and I will still keep my hypervisor(s) (VMware, PVE, etc) around for other tasks. But I am getting to that age where I would rather have a solution that “just works”, rather than keep tinkering with both the hardware and the software (admittedly, I will keep tinkering, but hopefully with a lower risk of bringing the entire automation down when I do that :slight_smile: )

I installed Home Assistant OS for a few homes where does not make sence to even once touch the command line. (Example persona - my mother)

Hassio is a great simple product for simple usecases where no simple encrypted backups feature means usually unencrypted backups on the local usb flash stick at best. This product is not for users who will glue it from other tools.

I disagree. That’s like saying Windows is not for users who user third party backup tools.

You didn’t get my point. Using your analogy: Windows can be used with 3rd party backup tools, but good simple one is included in the product, because most of users didn’t backed up or did it wrongly.

You said specifically that HAOS is a “simple product” not meant for users who will “glue it from other tools”. That is in my opinion wrong, it works perfectly with other tools and there’s a a lot of use cases where third party tools bring a lot. I never touch the command line in HAOS (because I don’t need to) and my HAOS installation is replicated to redundant hardware, has immutable cloud backup, granular restore to name a few.

So that’s why I disagree with your statement. Having a managed OS does not exclude advanced use.

I get your point, and I see the appeal of a “low touch, low management” solution (see my above post regarding the reasons for moving to dedicated hardware). And as I mentioned above, I can even understand why a home solution would have by default unencrypted backups.

However, I do not see any way in which having the option of backup encryption would hamper that use case in any way.

Keep the basic use case simple, keep simple and sane defaults out of the box, but give more advanced users the flexibility to “glue it to other tools” and set it up the way they want. After all, this “gluing of other tools” (getting all the disparate smart home devices with various APIs and putting them into one unified automation interface) is pretty much the main thing that made HAss great in the first place :slight_smile: