Automatically sync secrets from 1Password vaults to Home Assistant’s secrets.yaml file. Features a modern web interface, secure masked storage, and real-time sync monitoring.
The 1Password Secrets Storage app seamlessly integrates 1Password with Home Assistant, enabling automatic synchronization of your secrets from 1Password vaults directly into your Home Assistant secrets.yaml file. Say goodbye to manually managing sensitive credentials and embrace secure, automated secret management!
This app provides a modern web interface accessible through Home Assistant, allowing you to:
Automatically sync secrets from 1Password to Home Assistant
Organize secrets into groups for easy management
Monitor 1Password service account rate limits
Track secret assignments and sync status
Selectively sync only the secrets you need
Features
Key Features:
- Automatic Secret Synchronization: Sync secrets from your 1Password vaults to Home Assistant’s
secrets.yamlon a configurable schedule - Service Account Integration: Uses 1Password service accounts for secure, automated access
- Web-Based Management UI: Modern, intuitive interface
- Rate Limit Monitoring: Track your 1Password API usage to stay within daily limits
- Group Management: Organize secrets into groups for better organization and event notifications
- Real-Time Event System: Receives Home Assistant events when secrets are synced or updated
- Multi-Vault Support: Access secrets from multiple 1Password vaults
- Selective Sync: Choose which secrets to sync and skip unnecessary ones
- Configuration Scanning: Automatically detects
!secretreferences in your Home Assistant configuration - Multi-Language Support: Available in English (GB, US), German, Dutch, Polish, and Ukrainian (so far)
How It Works
Secure Secret Storage
The app uses a secure, privacy-focused approach to handling your 1Password secrets:
- Masked Storage: The SQLite database stores 1Password secrets as masked values only, showing just the first and last few characters (e.g.,
ab••••••xy). Full secret values (with “CONCEAL” type) are never stored in the database raw. - On-Demand Fetching: When 1Password items are detected as changed during sync, the app:
- Fetches the actual secret values directly from 1Password
- Writes them immediately to Home Assistant’s
secrets.yaml - Continues storing only masked values in the database
- Sync Process:
1Password → [Masked DB Storage] → Detect Changes → Fetch Full Value → secrets.yaml
This approach ensures that even if someone gains access to the app’s database, they won’t have access to your actual secret values - only masked representations for tracking and assignment purposes. The app is as secure as your secrets.yaml.
Feel free to check the entire README here
