How to use keyring in Home Assistant? (Hassos)

Hi!
I want to use a keyring for home assistant before exposing my server to the internet.
Call me fool, but the idea of someone breking somehow into my box and finding all my passwords in clear, doesn’t make me particularly happy.

I installed home assistant on Raspberry downloading the image from the “Install Home Assistant” instructions.

I followed the instructions for enabling terminal access both in port 22 (the docker on which home assistant runs as I understant) and 2222 (the host os, which I understand should be Hassos).

I am following the instructions for keyring, but the step 0 is to run a command called “hass” which is absolutely nowhere.

Since I have root access on the host, I should be able to work this out somehow, install what’s needed, etc… but I cannot find instructions anywhere.

Please, try to make a step by step guide that can become a runbook for future newbies too!

Thanks!

So first thing I learnt:
when logging in to p 22222, go with the following to have access to hass command:

login
docker exec -it $(docker ps -f name=homeassistant -q) bash
hass --script keyring --help

now… this works in the sense that it displays the help , and by using the “set”/“get” option

hass --script keyring set one_secret_idliketohide 
hass --script keyring get one_secret_idliketohide

it does prompt with appropriate requests, and it shows that it’s memorizing the information, but I can’t get the Configuration validation to succeed now, unless I have ‘one_secret_idliketohide’ in clear text in secrets.yaml, which means it doesn’t look like the keyring is being used at all

one roadblock down, many to go!

next I found that:

docker ps 

returns a list of docker containers, and in this case there are both homeassistant and hassio_supervisor , as well as many others.

it looks like

hass --script keyring --help

works only under the homeassistant container, not sure if this has anything to do with the problem I am experiencing, it seems strange as when I stop home assistant and the frontend goes down, this container is removed, so it is the container responsible for home assistant (as the name suggests).

also I discovered that the keyring that gets created, stores the encrypted information in:

~/.local/share/python_keyring/crypted_pass.cfg

however when I issue

hass --script check_config --secrets

it returns an empty list with no secrets, because it checks in the following directory instead:

/root/.homeassistant

next I found that using

hass --script check_config --secrets -c /config/

I can force it to use the directory I want, this in fact returns a list with what I have in my secrets.yaml.

apparently this has to do with checking the configuration of another user instead of the correct one
(ref: Check_config looks for configuration file in wrong place?)

unfortunately the next step that I thought was obvious at this point:

hass -c /config --script keyring set oneother_secret_idliketohide 

doesn’t work either (it ignores the -c /config and stores oneother_secret_idliketohide in the usual file)…

one last piece of info for today…
editing the file

/root/.homeassistant/configuration.yaml

to add a reference to !secret one_secret_idliketohide (that is not stored in secrets.yaml in that folder) causes the command

hass --script check_config --secrets

to find the secrets in the keyring.

so now I think it could be a matter of finding where the location of my file is referenced and why it works in /root/.homeassistant but not in /config

giving up for now, hope someone would want to chip in :slight_smile:

so there is a discord channel with a community that helped a little here, so posting here the results according with what I learned there, for future reference…

What I am after

it’s not supported in any Docker based install

You’re running an appliance like experience

And, what you’re after would require significant changes, including the ability to interact with the startup in the container to enter the passphrase

#homeassistant_core is likely the only option

where by #homeassistant he meant Installation - Home Assistant

The other thing worth noting, that I learnt in the process, is that even if I was to be able to enable the keyring, I’d still need to type the authentication for the keyring at every startup, which kind of makes the home assistant a bit less dependable (eg: in the event of a power outage, after an update, or any reboot).

Hope this will help other newbies out there. I have to say this is a bit of a bummer, I am really NOT happy leaving my passwords in a clear text file, in the same way I wouldn’t be happy leaving them on my laptop…

1 Like

Thanks for this detailed post. This post meant I did not waste my time trying to implement keyring in HA Supervised instance. Like you, I would prefer to remove clear text passwords from my HA instance. If you find a solution, please let me know!

1 Like