Keys, Tokens, Passwords, and Security Codes

HA does a pretty good job at allowing you to mask your Keys, Codes, and Passwords to the secret.yaml file with the “!secret” but I have noticed that there are somethings that it cannot be done on without issue. I will take the Plex.conf file where the token must be entered. If you trying to use the “!secret” and put the token in the secret.yaml it ignores the token all together. In some add-ons it is the same way. I am a security auditor so first thought is make sure your stuff is secure from prying eyes. Now a feature request that would be nice is to have the ability to put all usernames, keys, codes, tokens, etc. in the secret.yaml file and encrypt that. If the secret.yaml could not be encrypted at least it masks all the codes in HA and you have to keep it close to the vest then. Another idea would be integrate LastPass into HA somehow. I have been using it for years and works great on storing all your passwords. With the use of two-factor authentication it would make it more secure. Just throwing out some ideas here I am by no means a coder so it is beyond me but I am very concerned on the security aspect of IoT devices within the home. Unfortunately cloud stuff is here to stay and I sometimes have to use it but it would be nice to have everything local and use HA’s Cloud service to encrypt. I put this in Feature Requests for all those smarter folks out there that can code. Thanks Greg

Secrets here doesn’t add anything to security and is more about sharing code conveniently with others either in snippets or at github, etc. With secrets you can share code without having to sanitize it. If you have a user that can see addon configuration or configuration.yaml, they can also see your secrets file.

2 Likes

To add to cogneatos answer: the plex.conf example can’t be compared. It’s a “proprietary” configuration-file outside of the scope of Home Assistant. It’s the component itself that does that. And it doesn’t even use the yaml-format, which is the scope in which the !secret stuff works.

@Cogneato, true but if we could encrypt the secret.yaml where the HA could read it then all the codes would be some what secure. There are so many items that required a username and pass that having some form of built in password encrypt-or or bank would be a nice to have.

@danielperna84 sure I understand that but what about Add-ons that expose your usernames and pass? I am not saying just proprietary items but all pieces and parts that interconnect with HA. Plex.conf was just one I was looking at when I was thinking of this. There are others that will not accept the “!secret” to mask the information. Some of the Add-ons will take it and some will not there is no consistency there is what I am saying. I am just throwing this out as maybe a feature later to have some form of full protection baked into HA. If and I stress (IF) someone gained access to just you HA server then they have the keys to the kingdom so adding some form of protection of the code would be nice.

Add-ons are migrating to using single sign on which uses the Home Assistant user credentials. Secrets were supported in some of the community repo add-ons but again, if someone is looking at your addon config, they are already in your system.

HA users designated with a “user” role prevents those users from seeing configuration and hassio configuration. The HA user accounts can also make use of multifactor authentication to further secure access.

Ah so they are moving to making the add-ons like that then? And true that is why I said “IF” they get in then they own you. I do use the multi-factor authentication on HA which I love, a bit of a pain but security through obscurity. I was leaning more of an encrypted bank for usernames and passwords that HA has to use to make things work but implementing something like that maybe ways away at this time due to complexity. If yo have used Lastpass before it goes out and changes your passwords regularly if you want it too making sure you stay secure. Now that randomized pass code makes it more difficult but not impossible to break into your accounts. If I want into your stuff I will get into your stuff period. Again just spit balling a suggestion here for the future. I am always looking at the security of devices and ways to prevent disclosure of the keys. Thanks for the great conversation on all this…

After giving this another thought I rembembered this: keyring
The keyring pretty much does the same as LastPass in terms of storing credentials securley. The downside though is the warning at the bottom of the page: Home Assistant won’t be able to startup automatically because it needs a key to access the keychain. The same would be valid for LastPass.

So essentially this would be comparable to a http-server that uses SSL/TLS certificates, where the key only is provided in its encrypted form. In those setups the password to decrypt the key needs to be provided during service startup.
Of course this would be very secure. But I doubt adoption would be broad since users usually just want to restart / reboot their system without fearing it won’t come back online again.

Humm sounds interesting maybe use some type of YubiKey or USB decrypter on the HA unit. Yes true I do restart my HA from time to time for major changes. Oh well just a thought…thanks

That’s actually a good idea as a concept. Am I correct, that such USB devices always require a button to be pressed? That wouldn’t be helpful because physical access still would be required.
But the idea that popped up in my head as you have mentioned it: when I log in to Google, my phone shows a popup to verify access. 2FA essentially. Maybe there’s a way to utilize this type of remote 2FA to grant access to keychains. :thinking:

Yeah there are some ideas forming here!! :thinking: