If encrypted backup is a very good idea, force encryption without decryption tool is not usable !
Without decryption tool or the choice to not encrypt backups, it is not a good idea to upgrade to this version
Hi
Before whinning do some little checks by yourself 
archive is avalaible in the usual backup directory of HA !
it keeps exact same architecture as always for backup so nothing new there.
open the archive on your computer and voilà !
don’t forget it uses the same backup system that exists in HA since ages !
Vincèn
Yes, I agree.
To not being able to switch off any encryption (I do not need and hate it), is a hard step back.
Who is creating those unnecessary stuff ?
I stay now at google backup (local and cloud) as its handy in case of desaster.
This new encrypted backuo will be a desaster by itself in case of necessary use, as I have to get access to the stored key too… and this isn’t any help but desaster boost.
What’s this secret about anybodys HA backup ???
Who will get its hands on it anyway beside its owner???
Next wrong way is, that change of Key is just to an other desaster key and sadly not any selfmade password for instance.
But this will be the only acceptable future way… or I will keep HA backup automatic switched off like now.
Sorry, but this 2025.1 is not any breakthru, as tere have been better backup solutions offered a long time.
Keep HA simple and do not try to integrate everything others already done better.
I agree, that this backup functionality is not very helpful, if I can’t check the integrity of the backup without restoring (overwriting) my installation.
I created a full dump, which results in a tar file in the backup directory, e.g. abcdefgh.tar.
Now I extracted this file by doing: tar xfv abcdefgh.tar, which resulted in a lot of tar.gz files.
For example, how can I now check, whether the content of the homeassistant.tar.gz file is extractable, because due to encryption I can’t do a tar xfvz homeassistant.tar.gz.
I tried to do a openssl enc -d -aes-128-cbc -in homeassistant.tar.gz -out homeassistant_decrypted.tar.gz, entered the encryption key, but without success.
So maybe someone could explain, how I cant at least manually decrypt the tar.gz archives inside a backup.
There should be functionality in the gui to deactivate encryption or at least to trigger a decryption of a single backup.
Before you say anything, test it !
The tar file contains a gz file that is encrypted !
It is impossible to access the content of this file !
In 2024.12.5 version, all works like a charm.
This new implementation is a regression.
AutoBackup extension in HACS does not work anymore !
I have a test platform to validate updates because with each new version there are problems.
It is, it’s just they didn’t document yet how is done the encryption ! I fully trust HA/Nabu Casa to fully document it on how to decrypt it by hand if needed it’s probably done with GPG or openssd ! it’s done with GitHub - pvizeli/securetar: Secure Tarfile library from what I can see in HA code.
You don’t need always to update at latest version
I only made 2 updates by year but i test all versions 
wow that’s quite an insane quantity of tests 
So, is it possible to remove the encryption?
My archiving software can’t see inside the backup file that’s been created, so I can’t do versioning on the content.
I think that we should at least have an option to switch of the encryption, or if there is an option it needs to be more obvious.
TBH, I didn’t know that encryption couldn’t easily be turned off when I updated. I expect a lot of people similarly thought that ti was an option.
Does this tool still work? Didn’t have the time to test it out yet…
It seems to be using a modified securetar version (according to the source code) to circument some issues when being used with Windows OS.
I would also vote for a cross-platform tool as binary without any deps on all major OSes (Win/Linux/Mac) to support easy decryption.
Welli t’s a good practice to always encrypt backups, it removes a lot of security concerns with storage system of backups. If it uses a good encryption system than you can basically store backups everywhere you want even a public place as it can’t be decoded without the key
The encryption key of course is secured in a good password manager.
It may be a good practice to encrypt if you are a naive user. However, it is the height of arrogance to assume that a sophisticated user doesn’t know they are doing! You have no idea how secure my backup repository is due to other measures. Encrypting encrypted files is pointless and inconvenient as hell. This needs to be made an option that can be disabled by an advanced user.
I just gave it a try. I needed to patch the filename generation and it worked. The 4GiB mariadb addon tarball take 44min to decrypt…
--- scm/foss/decrypt-ha-backup/decrypt-ha-backup/__main__.py 2025-01-04 19:42:53.654166702 +0100
+++ /proc/self/fd/11 2025-01-04 20:13:26.908165966 +0100
@@ -128,7 +128,7 @@
@property
def fileName(self):
ext = ".tar.gz" if self._backup.compressed else ".tar"
- return f"./{self._slug.replace('/', '_')}{ext}"
+ return f"{self._slug.replace('/', '_')}{ext}"
@property
def slug(self):
Just rolled back to my prior backup before 2025.1 due to the forced encryption. The files are totally inaccessible in windows.
I’m a Nabu Casa subscriber, and I get why any cloud backups would mandate encryption, but this is terrible for normal backups.
Restoring a backup is a lengthy and annoying process. Diving into the unencrypted tarball to grab a lovelace dashboard or integration config that I realize I want to revert back to is my major use case outside of totally breaking my HA install.
Just to add on, does 3…2…1 even make any sense for home assistant?
I can’t imagine any situation where I’d have lost both my on-device AND NAS backups where I wouldn’t need to start over from scratch with H-A anyhow, because anything catastrophic to both local backups was probably catastrophic to the entire structure.
Where did you learn this? Mine appears to be creating backups still, however I haven’t attempted to use them.
This is bonkers - by all means switch on encryption by default but at least let the advanced user switch it off.
Thankfully I also use Samba Backup - Current version: 5.2.0 which is still doing unencrypted backs as per my defined schedule and storing them off to my onsite NAS.
lcsneil
Are you sure backups are not encrypted ? Can you extract the xxx.tar.gz ?
What HA version do you use : haos ? ha container ? ha core ?
Following this thread as i am the only one with access to my storage, while not storing any data in HA that i need to be encrypted, therefore i see backup encryption pointless royal pita in my use case