Decryption tool for backups and option to not encrypt backups

HA development is absolutelly awesome and I am sure everyone is grateful for anyone’s time put in developing HA, no matter how small. I understand HA devs look out for the benefit of all HA users, however, I do think it is not great at all to force users on automated and encrypted backups.

We need options to tailor to our individual needs, and this has now been taken away with the shift to automated and encrypted backups.

For my case, my encryption locally and on the cloud is handled by myseff on a larger scope that just the Home Assistant backup files and it is therefore completely unecessary and PITA to have these backup files encrypted.

Also my requirements for backing up are for when I am carrying out code and dashboard updates. I may go for weeks without any modifications and therefore an automated backup would only waste resources in my case. If I update code and dashboards, then I back up manually, in addition to git version control.

In addition, now there is no option accessing backed up code externally! Sometimes, I may want to see some yaml code for a few months ago, but now it is not possible since the files can only be decrypted after loading back to HA!

I understand these chages are meant for everyone’s benefit, however, can the main dev team please add back the option for non encrypted manual backups without the need to set up an automated schedule.

3 Likes

Yes I can extract the individual xxxx.gz files from the .tar.
Cant go any further though and open the .gz files (using 7-zip).
I did manage to restore a backup a couple of days ago after a zigbee2mqtt update without putting in an decryption key.

On raspberry ip4

  • Core2025.1.0
  • Supervisor2024.12.3
  • Operating System14.1
  • Frontend20250103.0

lcsneil

This is the problem, datas are in the .gz files we can’t extract it in 2025.1.x versions !

1 Like

Just switched back to AutoBackup integration, which works great (without encryption).

I’m tiggering it from NodeRed in the following way:

  1. Creating a folder /share/backup/mariadb and /share/backup/influxdb
  2. mysqldump of the MariaDB to /share/backup/mariadb
  3. influx backup to /share/backup/influxdb
  4. Executing auto_backup.backup_full and excluding addons mariadb and influxdb
  5. rsync of /backup folder to cloud storage

This works fully automated, without encryption.

BTW: I just found out, that when testing the resulting backup tar-Archive inside the HA terminal for consistency, I always got a

tar: invalid tar magic

error message. This always happens when accessing the share.tar.gz inside the backup. I thought this indicates a corrupt tar-file, but meanwhile I found out, it’s only due to the busybox tar Version, which is used inside HAOS. When copying the tar file to a Debian Linux Box, there is no issue extracting the main tar archive as well as the tar.gz files inside the tar archive.

The backup tar-archive is recognized by HA (Settings->System->Backups) as manual backup, so everything seems to be okay. Will now try to recover it in a newly provisioned HA VM on Proxmox to cross check.

I am in same situation, HA restore fails and I can not access files in the backup file due to encryption. my system out of order and have to rebuild :frowning:

2 posts were split to a new topic: Encrypted backup not restoring

Just updated to latest Home Assistant and went through the experience of finding that backups are effectively useless now, albeit with a pretty front end. Running manual backups for the foreseeable future now.
This encryption implementation looks to be very immature. Hopefully the ability to remove keys makes it to the codebase. Soon.

1 Like

That’s exactly it! If I ever need the encryption I will sort it out at-rest on endpoint…
The place I’m encrypting to, if anyone got there, the ha backups would be my least worry (proper sensitive data out there)

I am also in the same situation since the update 2025.01. Backups cannot be really verified and there is no way to restore a backup easily in a docker environment. Providing an own encryption format is a nice idea, but there are enough working and widely supported solutions, so i think it is not really necessarry und usefull. Please allow to make a backup without using a special format and encryption (or just add an option to disable this encryption)! Many thanks!

2 Likes

Forcing encryption for local backups is a very bad idea. Using a custom encryption system is a worse idea than that. Externally I can’t tell if the .gz file is corrupted or encrypted with a custom tool.

This also makes incremental backups impossible even with block-level incremental backup tools which can normally de-duplicate across files and versions. Cryptographic hashing kills that feature.

I have to roll back to a previous version.

3 Likes

Unfortunately there is a big problem. When I tried to restore my previous backup from version 2025 (encrypted), the home assistant reset and offered to upload a .tar archive to restore. It’s good that I had such an archive from a week ago (made with 2024 ver). So when I try to restore an encrypted backup, the home assistant is reset. I had to roll back to version 2024 and now waiting for a fix.

1 Like

Hello!
My name y Alberto.

I found this tool that decrypts new HA backups:

Thank you! heard about it! But it worked like a charm before and I don’t want no encryption for my local backups. Waiting for HA dev team to roll back no encrypt option

Good comments.

I would like to know why this was implemented in the first place?
Was it due to cloud backups? And if so, why wasn’t the encryption made an option for local backups.

There was no rush to push out new functions, HA works just fine without encrypted backups.

Well, to be honest, my priority with backups is that they be as easy as possible to restore. Encryption is one more step in the process that can go wrong.

If I’m away and someone else needs to restore the backups urgently, I don’t want them having to look up encryption keys. Which I’d probably keep in an encrypted location. Thus requiring more encryption to guard my encryption.

There’s also the small detail that if someone had access to my backups, then they’ve physically compromised my site so someone having access to the irrigation schedule for my tomatoes is the least of my worries.

I vote that we submit a request to get this as an addon for HA.