API Encryption - where to update in Home Assistant?

Where should I add the encryption key?
Is it in configuration.yaml, or in the database, or an XML config somewhere?

I’m only encrypting one ESPHome device at the moment, just trying to get it working.
All my others are non-encrypted at this time.

1 Like

You have it here

That’s in the ESPHome device source code itself.
I’m asking about how to get Home Assistant to use it?
Certainly this same key must be posted somewhere?

These are the errors I’m receiving from the ESP32 device:

[17:46:22][I][app:102]: ESPHome version 2021.9.2 compiled on Oct  6 2021, 17:44:07
[17:46:22][I][i2c:033]: Scanning i2c bus for active devices...
[17:46:22][I][i2c:040]: Found i2c device at address 0x5A
[17:46:23][W][api.connection:068]: Socket operation failed: BAD_INDICATOR errno=11
[17:46:28][W][api.connection:068]: Socket operation failed: BAD_INDICATOR errno=11

I removed the ESPHome device from ESPHome itself, then from the ESPHome integration, and while Home Assistant recognized the new ESPHome device, it could not connect.

Not certain what finally changed, but Home Assistant finally picked up the “new” ESPHome device and THIS TIME, it actually asked for the encryption key.

1 Like

Not solved for me. I also tried only on one device but HA insists on asking me the key and even on command line it does not connect (I can re-flash via OTA though, and it’s responding to ping).

I believe I have what’s described here: https://github.com/home-assistant/core/issues/56915 but according to them it should have been solved in the version I am in.

1 Like

I suspect the issue is, the current HA code is fully prepared for NEW ESPHome devices, but doesn’t handle so well the case of an EXISTING device that is having encryption added.

It doesn’t even work for me when removing the ESPHome device and re-adding it with encryption enabled. Still getting the same error as described here not matter what I do.

It’s a UNIX/Linux thing, but if you’re okay with that:

Save a text copy of your ESPHome device’s YAML source code – you’ll need it later

a) open a terminal/command-line session into your HA instance
b) cd to the esphome directory
c) cd to the .storage directory
d) remove the esphome.abcdefg123456 file corresponding to your device

e) use the grep utility to find the name of your device within the Home Assistant core.* files
f) edit the core.* files to remove the entire section corresponding to that device from these files (should be one instance in each of two or three files). save the files, exit the text editor.
g) synchronize the file system. command is ‘sync; sync;’ (not strictly necessary, just habit)

Then, in the Home Assistant web GUI:

  1. use the ESPHome page, and delete your device
  2. use the Configuration / Integrations page, remove the device from the ESPHome Integration
  3. restart your instance of Home Assistant
  4. re-create your ESPHome device

Hope this helps . . .


Thanks and yeah, I’m fine with the Linux/Unix thing :wink:
But this seems like a nasty workaround which probably works but is nowhere even close to being user friendly or anything. Seems like the upgrade of existing devices was not tested or looked at even once considering this many manual steps to get it working… :see_no_evil:
I’ll see if I will do the manual method here or just wait for a proper fix… no need to rush as encryption in my setup right now is not mandatory. :grin:


I agree, I believe they missed the entire ‘update’ perspective for this feature.

I also try found solution to eneable it and start working.,…

I think the issue is fixed by ESPhome 2021.9.3 …
Yesterday i had the same behaviour like you describe. Now, everything is fine and the nodes can be reconfigured over the ESPhome UI in HA…

1 Like

So how should it be done properly ?
Just changing yaml file of the device (adding encryption property) ? Or some other action needed e.g. in add-on configuration ?

Yes. Edit the yaml and you’ll receive a message in HA for reconfiguration (type in the key)

Nope, upgrading to encrypted is still not fully working for me. I just tried adding encryption for one of my (wemos d1) devices and it is only partially working. I’m still seeing similar “Socket operation failed:…” error messages, and several of the features I have on the device are not working. For example, the device has an OLED that displays time, date, temp, and humidity… it also has a button for input, and a dfplayer for audio cues. After adding encryption the devices shows up in HA, and the time is showing properly, but the temperature and humidity aren’t working, and neither is the dfplayer or button. I assume this may be due to those functions requiring data from the HA api… but esphome maybe can send the date without interaction? I was able to OTA another fw (from the HA webui) without encryption enabled, and everything started working again.

On a related note, the HA integration did not ask me for an encryption key after the upload… just started working and logs showed encryption was in use. So they did get the string stuff fixed… so just the yaml edit is all that’s needed now.

Anyhow, just wanted to pop in and mention this here since it’s NOT fully ready for newbs yet. I’m not really nix apprehensive, but I have not tried hacking my .storage files yet… too much other things taking my time right now. Running esphome without encryption, at least until the devs sort this out, is no big deal I think for most users who are operating behind a firewall with only trusted clients. IMHO, this feature was just rushed out a bit too quickly/loudly… after all, it looks like there may be some difficult upstream issues to sort out according to this:


That is not correct. You need to add the key for each device.

I updated all my ESPs to have encryption on the weekend. All of them asked for the key and password in home assistant. A lot of them twice :face_with_monocle:

After a restart the ones that asked twice had forgotten their keys and were not communicating. About 16 of 56 devices.

I was copy/pasting so I know I got the keys and passwords right.

I had to delete the devices that were not communicating, restart home assistant, then add them back in after being discovered (including redefining the keys and passwords).

All are working well including the ones that use custom home assistant services.

Aha, HA did not bring to my attention a need for the encryption key to be entered after uploading ota in the webui. However when I went to actually open the integration in HA, it did have a big red “RECONFIGURE” button on it (also was a notification in HA for it). After hitting the reconfigure button and entering my key and password, it connected with no errors. The device survived reboots with no issues. I did more devices, one at a time at first, then did a batch with update all. After doing the batch, there were several esphome integrations showing each with a red reconfigure button.

After satisfying all of those red reconfigure buttons with a crypto key and an associated api password, they all worked fine, even after reboots. I hope having do delete devices, restart, and redo them isn’t something common. In case it matters, I’m using hassos on a pi4.

1 Like

Took me a while but now I have encrypted my first ESPHome APIs. I found that for each ESP that I encrypt I get a whole bunch of reconfiguration messages in HA’s config section. Looks like I get one per entity instead of one per device. Is there a way to add the encryption key on a per device basis? Otherwise I will have to go through several hundreds of reconfig flows.

Just found the solution: You simply re-config just ONE of the identical device entries that are shown in HA’s config section. Then restart HA and all the other entries vanish.

Can you explaine me step by step how implement encryption to my devices ESPHome and HA ?