How does Home Assistant secure sensitive information?

Tags: #<Tag:0x00007f3259ba2ab0> #<Tag:0x00007f3259ba2998>

Dear Interwebs,

With a view to my Home Assistant going online directly rather than via Nabu Casa, I’m interested in understanding it better from a security point of view.

Questions then:

  1. Why is secrets.yaml any more secure that having the same password and other sensitive information in configuration.yaml? Other than that we are less likely to share secrets accidentally while diagnosing issues or otherwise sharing the latter. Nothing in the instructions makes secrets.yaml any less observable (different rights, folder location, …).
  2. Should such sensitive information not be encrypted, both at rest and in transit?
  3. How are configured secrets secured better/differently to yaml secrets?
  1. Like you said, being a separate file, it makes it less likely to accidentally share it with someone else (like when showing someone your configuration file).
  2. Yes, it should be encrypted.
  3. They’re not. Arguably, it’s less secure because it mixes secret and non-secret information.
  1. Because you hopefully won’t copy that secrets file to your public Git :wink:
  2. Because that requires you to decrypt/unlock it at startup - or it requires that HA has the ability to unlock/decrypt, which means that it’s effectively not encrypted/locked

Ultimately, this is about not accidentally exposing authentication details, or other things you don’t want to share. This isn’t about the security of Home Assistant. Security is more about how you secure the host.