Encrypting secrets.yaml

I have a (probably unrealistic) fear that someone could easily walk off with my Raspberry Pi running Home Assistant, or at least the SD card. I have a lot of plain-text passwords in my HA configuration - the password to my router, for instance. I have placed these in a secrets.yaml file, but they’re readily accessible to anyone with access to the SD card. I’m running supervised Home Assistant on a Raspberry Pi 4.

I’ve spent a few days trying to figure out how to encrypt secrets.yaml. I settled on this scheme:

  1. Stop HA.
  2. Create an encrypted container file using cryptsetup.
  3. Decrypt and mount the container. Place my secrets.yaml file in it. Keep the native secrets.yaml file in place, but remove all content.
  4. Disable docker.service, hassio-homeassistant.service, and hassio-supervisor.service so they don’t run on startup.
  5. Reboot the computer.
  6. Decrypt and mount the container.
  7. Bind-mount the secrets.yaml file in the encrypted container on top of the native secrets.yaml file. Start the disabled services mentioned in (4).

This has the benefit of not having to encrypt the entire file system; I’m concerned about the overhead whole-disk encryption would create for the Raspberry Pi (i.e. having to encrypt/decrypt everything it writes/reads). There are probably other HA files that have sensitive information; these could easily be included in the above scheme.

This does require accessing the Pi (could be ssh) every time it reboots, but this is an infrequent event. I was able to find a way to avoid this, but it’s more complicated: it involves starting up a minimal HA installation on reboot, allowing the user the opportunity to enter the decryption password via the HA front-end, and sending the password to the host system to run the decryption script and restart HA with the full installation.

Happy to provide more details if anyone finds this interesting.

4 Likes

If someone has physical access to your pi you have bigger problems.

2 Likes

Well, I do have guests, I do have a cleaning person, there are occasionally people who come in to work in my house, I could conceivably change the SD card and lose track of the old one, someone could break into my house.

One could say the same thing about a PC, and yet it’s probably a good idea to encrypt that. I realize this isn’t the biggest of deals, but it’s an interesting and fairly easy project (from my point of view).

Nice solution, although I wouldn’t want a system that needs some manual steps for it to become alive after a reboot.

That being said, I’d really love a native vault integration. That way the secrets could live on a different host, so only the (revokable) token to access the secrets would be lost in case the HA-machine got stolen.

1 Like

A reboot is (for me) a rare event. Also, I have a healthchecks.io integration that informs me when Home Assistant is down, so I can log in and get it on its way. As I mentioned, I ultimately implemented a more-complicated setup that doesn’t require ssh and just lets me do this through a minimal Home Assistant installation that ultimately boots the main one once the secrets.yaml file is decrypted.

Another solution would be to mount pi in locked NEMA box.

Encrypting is good but I have had similar situation for one of my installs and physical security was best

Lock mounting box or closet
Open/close sensor on box or door
Camara taking snapshots or record upon open/close with image sent to email notification (useless to keep on stolen device and email can be sent to admins or security or just reviewed when need arises)