Secrets file, where to store it?

Josep · December 27, 2019, 12:54pm

If secrets.yaml file is stored in config folder, it will be open with configurator, so, it have no sense… store it in a folder where configurator can´t access is the right way to do it? In this case…it will be accesible by hassio? Anyway, secrets must be accesible by samba or ssh, to be edited… I am not sure if I understood the use of !secrets…

flamingm0e · December 27, 2019, 1:04pm

So how do you plan on EDITING the file if you don’t have access to it in your EDITOR?

I don’t see why.

You haven’t.

By using !secret you can remove any private information from your configuration files. This separation can also help you to keep easier track of your passwords and API keys, as they are all stored at one place and no longer spread across the configuration.yaml file or even multiple yaml files if you split up your configuration.

sophof · December 27, 2019, 1:30pm

I’m not sure, but I think you have the misconception that access rights are directory based. Each file can have its own access rights. So besides the convenience and sharing aspects, the secrets file also has a safety aspect, since you can make it readable to just the owner (and root) of the file.

You’re protecting your passwords from being visible to other users, not from people logged in on the same account (that would be impossible).

Tediore · December 27, 2019, 2:53pm

Along with what the others have said, one use case for secrets is sharing your configuration with others without exposing your sensitive info.

Mutt · December 27, 2019, 3:21pm

If you are concerned about people reading your secrets through configuration, delete configuration.
If they have an admin account they could reinstall configuration and read your secrets but what secrets do you have that you put in there (not your bank account info) that you actually care about other members of your household reading ?
I’m intregued where this is going.

“No i don’t want you to see my Dark Sky api key !” - who cares ?

Josep · December 27, 2019, 4:59pm

I have no secrets to hide to my household members…(well, the gift to my wife or son in their next birthday, maybe… but I promise not to write that on configuration.yaml) :-)…. no, so, the idea behind secrets is just not to expose your sensitive data when you share your configuration.yaml code with others. Ok, this is was my mistake, I think it was to protect those pass for non authorized hassio logins over internet… I know brute force this is unlikely, but well, all protection isn’t enought. Again, THANKS for the answers

flamingm0e · December 27, 2019, 5:19pm

That’s ONE reason.

The other reason being you have one single location to store data like that, should it change, you don’t have to hunt down every file you have used the password. Change it in one place and it changes across the board.