Redaction of alarm pin in automation unsuccessful

Heretolearn · April 14, 2023, 11:59am

Greetings HA community,

I’ve successfully created a automation which disarms my alarm with an offset of 10min before sunrise. I than attempted to redact the pin within the specific automations yaml using !secret as described in the docs here

Here is my automation code that works, with pin and device id changed for obvious reasons:

alias: Alarm - Disarm at Sunrise
description: Disarm the alarm ten minutes before sunrise
trigger:
  - platform: sun
    event: sunrise
    offset: "-00:10"
condition:
  - condition: device
    device_id: 00000000000000000000000000
    domain: alarm_control_panel
    entity_id: alarm_control_panel.alarmo
    type: is_armed_home
action:
  - service: alarm_control_panel.alarm_disarm
    data:
      code: "00000"
    target:
      entity_id: alarm_control_panel.alarmo
mode: single

when creating a !secret within secrets.yaml person_pin: “00000” and using it as follows:

action:
  - service: alarm_control_panel.alarm_disarm
    data:
      code: !secret person_pin
    target:
      entity_id: alarm_control_panel.alarmo
mode: single

The yaml checker goes from blue to red, and when saved as such going back in the code has changed to:

action:
  - service: alarm_control_panel.alarm_disarm
    data:
      code: null
    target:
      entity_id: alarm_control_panel.alarmo
mode: single

I’ve also tried searching older threads for relevance such as here

New to HA and hoping I’m not being a noob here, but any help on how to do this would be very much appreciated.

Heretolearn · April 17, 2023, 12:12pm

I fear that I am about to be hacked and locked out of my own security system. Why, you ask? Because I’ve posted a question on this forum and nobody has replied yet! Clearly, the cybercriminals are onto me and are using my lack of response as an opportunity to strike.

So, I implore you, please help me before it’s too late! Respond to my post, share your knowledge and expertise, and save me from the clutches of these fiendish hackers. Your prompt response could mean the difference between security and utter chaos.

Thank you for your attention and speedy action!

petro · April 17, 2023, 12:19pm

You can’t use secrets in UI automations, only yaml automations.

Secondly, secrets are stored in plain text as well as automations from the UI or yaml. Regardless how you do it, it will have the same exact level of security.

Even if you do get secrets working in a yaml automation, the trace will show the pin.

Heretolearn · April 17, 2023, 1:06pm

So is it a limitation of Jinja which parses the automations? Also from HassOS perspective how are the rights management being handled for the secrets.yaml file?

I appreciate you taking the time to reply

petro · April 17, 2023, 1:08pm

No. There’s no templates in this, jinja is not involved. Yaml is the format of the automations and secrets file. Secrets were built so people could share their configuration without sharing sensitive data. It does not provide any security.

They are not. See previous response.

Heretolearn · April 17, 2023, 1:18pm

Thanks for making the distinction of the roles jinja and yaml play within the HA ecosystem more clear to me.

Jinja2 = Template Designer

YAML(Yet Another Markup Language) = Configuration Management

That’s interesting from a security standpoint, anybody using something like Hashicorp Vault for secrets management or isn’t it really able/viable to integrate with HA?

petro · April 17, 2023, 4:11pm

Sorry, I don’t know