Decryption tool for backups and option to not encrypt backups

This won’t be an issue once next month’s release is officially released. It’s supposed to have an option to not encrypt at all except for anything uploaded to Nabu Casa Cloud, among other things.

2 Likes

This tool is amazing, it decrypted my backup.
I was desperate, I tried to restore the backup and it cleaned all my config, now I’m back to business.

Doesn’t work on Mint/Ubuntu Linux.

$ tar xf ../homeassistant.tar.gz 

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now

You do realize most people who don’t just lose or ignore the key will end up saving that textfile IN THE SAME PLACE AS THE ACTUAL BACKUP, right? So someone who got hold of the backup would also have the key, defeating the point of it.

And then everyone who loses the key will be mad when they believe they have backups but can’t use them.

This is just adding more unnecessary complexity and creating headaches.

2 Likes

Well if people are dumb it’s not responsability of HA/Nabu Casa and perhaps it’ll help educate some users at good IT practices :wink:

No, read Missy’s post in the other thread. The optional encryption was not one of the items promised to be delivered in next month’s release.
They’re working on it but have not given any timeline for delivery

The backup system is worthless. I just setup a system and got a lot of stuff configured. Turned on automatic backups and downloaded the first backup it created. A few days later the Mini PC I was using decided to self destruct. Grabbed a NUC and installed HA, tried to restore the backup and it refuses because it’s only a partial backup. I’m sorry, where is the full backup option then? So here I am setting everything up from scratch again. Would be nice to at least read my YAML files from the backup but nope, can’t do that, it’s encrypted.

2 Likes

I have created a tool that decrypts and decompresses Home Assistant backups, so you can use deduplicating, compressing and encrypting backup systems like Borg Backup on top of those.

This means incremental backups for Home Assistant, with arbitrary retention, backup verification, WORM, partial recovery, and whatever you dream of (well, set up) :wink:

WTH? Mandatory encryption? No no no no no no no! There’s zero chance I’ll have the key when I need it, Stop this now. No I’m not gonna write a script. My mistake to “upgrade,” I guess.

1 Like

As of the 2025.2 betas, the only time you’ll be required to use encryption is if you upload your backups to the Nabu Casa Cloud.

1 Like

Did something change? Last I read, there were no guarantee of any improvements to the encrypted backup situation being ready by 2025.2.

Yes, a month has gone by and it’s now known which features were finished in time for the next release: 2025.2 Beta: Iterating on backups - Home Assistant

2 Likes

i understand that 2025.2 will address this problem. However, in the meantime, are manual UNENCRYPTED backups possible? When i press “Backup now” i’m getting " Set up backups" and then the encryption key window. Any way to bypass that? Or do i need to revert to 2024?
Thank you.

You have the option to install the beta today or wait until tomorrow when 2025.2.0 is released.

Backups done via command line are unencrypted.

These manual backups from CLI only get stored on local device in my testing. So if you need to store them on a network drive or wherever, you’ll need to copy them manually.

Also, the backups info command without argument doesn’t work anymore. If you need to see what backups you’ve made, you’ll need to examine the backups directory with command line or some other option, and manually enter backups info [slug] for each one, where slug is the name part of the filename. I’ve filed a bug report on this, since I think it’s a new regression probably unrelated to the encrypted backups issue.

You did add a network folder for backup storage ( CIFS, NFS) in Settings/System/Storage ?

It had been there before I restored a backup. I have a bunch of backups that were saved on my samba share. Maybe the encrypted change thing erased my backup location from the configuration.

Or maybe backup location isn’t saved in the backups. It’s been a long time since I’ve had to restore a backup, so I’m not sure . . .

First as we all know the HA development team does great work! That’s why we’re all here sharing our passion for the product and it’s feature sets. I’m gland to hear the HA team has jumped right on this and are removing default encryption for backups.

I think this capability and associated conversation is a good security teaching opportunity. I haven’t done cyber security in a few years now, but I believe they still use the equation:

Risk = Threat x Vulnerability 

to help determine asset Risk.

For users that keep their data at home the vulnerability is relatively low. Some might think not encrypting the data makes it vulnerable, but the adversary needs a way to access the backup for it to be vulnerable. Some indicate you should be keeping a copy of your backup offsite. I think the value of the backup is that it keeps users from having to re-create their system from scratch if their HA controller goes south. As most could re-create their system if need be there is no need for an offsite backup, which would increase it’s vulnerability.

The threat is going to be driven by an adversary’s desire to have your backup. Hmm, as pointed out in this thread the backup doesn’t really contain much sensitive information. For me I have the password for my chargepoint charger account in HA so I can monitor my EV charger. While I don’t want this account information to be shared, at most I’d be out the $50 credit card limit I’m responsible for. I don’t use smart locks, because I don’t want to add to my threat posture. My remote access to HA is via VPN. This means my threat level is going to be really low for the backup. In reality the biggest threat is that my spouse is done with me spending time on HA. It possible that she might pull the plug and trash my HA controller. Lucky for me the backup is on a machine she is very unlikely to trash.

So low vulnerability and low threat means low risk. We would then do a risk assessment of all of our assets and would find out your HA backups are not very high on the security assessment list. Backup encryption is more of a bonus feature than a necessary. Security always means added work, so it’s not surprising that some HA users see no need for this bonus feature.