!secrets encryption

Yes, this is my second post on HA security but to my mind this is the only thing worth talking about at the moment.

Isn’t it about time that the !secrets file was encrypted in some way? Don’t ask me how, I don’t know and if you tell me it is not possible then I will have to accept that but having all these, err, secrets in plain text seems to me to be asking for trouble and in fact breaks the very first kindergarten rule of online security.


Already discussed here

What are you doing posting your secrets file online?

He didn’t say that, he said that plain text passwords are a big nono whenever it comes to computer security of any kind.

Even if you omit the secrets file from your github, the passwords are still available in plain text for anyone with local access.

In the good old days we learned how to read in kindergarden. Check the docs and just like in almost all books the exciting part is at the end…

If someone has local access, you have a physical security issue you should address :stuck_out_tongue:


Correct! :joy:

I mean, you could always run secrets.yaml through a ROT26 cipher.

There are three options:

  1. Use a keyring (as explained in the docs. No need for plain text passwords.
  2. Use plain text passwords in a text file - it’s very obvious that you should protect this
  3. Encrypt the passwords and allow Home Assistant to automatically decrypt them. How to decrypt them is going to be hard coded into Home Assistant and so about as effective as ROT13 - but people will think it’s secure, and so not protect them.

Home Assistant gives you the choice of either of the first two.

Not only has this been well discussed here, but it’s been discussed in depth on many mailing lists for many other products over the last couple of decades (and more). The options Home Assistant provides are the only responsible options.

For the sake of simplicity I’m going to close this thread - if you want to continue the discussion please use the one from last year.