Curious do we need both API Password and Encryption? I just enabled both of them and i noticed that HA asks, for obvious reasons, for both password and encryption key which led me to rethink that maybe I don’t need both. Can anyone confirm?
Depends on your paranoia level.
the encryption may help prevent the password being intercepted in-transit.
Yea to me it feels they fulfill the same purpose given they are entered in the beginning each time.
Feels like I’d prefer to have the encryption only rather than both.
The purpose of the password (an authenticator of identity) is to ensure that it’s really you sending the update.
Encryption prevents eavesdropping on data in transit (including the password) - it’s not usually tasked with serving as an authenticator also, except perhaps in ssh.
The encryption in this case may be an authenticator if it’s a pre-shared key that (in theory) only you hold. I don’t know if it does, but it’s not usually so.
And, if the encryption key is unilateral (client supplies it per-session), then without a password you’re vulnerable to someone else uploading to the device (e.g. using their own encryption key).
Disclaimer: I don’t use either one - I just trust that there’s no one else on this LAN to launch an attack on the sensors.