Why should we use a secrets.yaml
It’s Plain text , no secret at all.
HA had even a command:
hass --script check_config --secrets
To print them out easily.
World you put your Secret bank account code in it?
Also it prevents users from posting their configs accidentally containing credentials…
That is exactly it.
I think the OP is thinking: what is the difference between these two options:
1: Store my credentials in plain text in my configuration.yaml file
2: Store my credentials in plain text in another file located in the same folder as my configuration.yaml file
And the answer is that, if you don’t do anything else, the security between both options is no different. However, if you decide to share your configuration file with others, option #2 is obviously superior.
But if you are concerned with someone hacking into wherever you have you Home Assistant files, you are equally screwed either way.
1 Like
If you are using Podman (or Docker — haven’t tried it, but as I understand it, basically the same) you can use the secrets functionality. This doesn’t give you meaningfully greater protection if the entire machine is pwned (they’re obfuscated, but necessarily reversibly!), but makes it easy to keep a secrets.yaml file out of your regular config storage volume (or path on disk), so it’s separate for backups, etc.
You can also use a simple include, no?
Sure, but secrets are a nice, standard way to do it.