Securely Storing Sensitive Information in Github

I got tired of manually updating sensitive files between different instances of HASS and thought I could use one of Ansible’s features to allow me to keep my credentials current and versioned along the rest of my configuration in GitHub.

Files containing credentials used in Home Assistant can be securely versioned in GitHub alongside the rest of your configuration files through the use of a pre-commit hook script. The script utilizes Ansible-Vault to add a current encrypted version of sensitive files to every commit to ensure all configuration files are versioned. Ansible must be installed on the system running Home Assistant and is available via PIP.

The script will add encrypted versions of the following sensitive files to each commit you make. Instructions are in the script’s header to add additional files.

  • secrets.yaml
  • phue.conf
  • ecobee.conf

Once Ansible is installed perform the following steps to safely store credentials alongside the rest of your configuration files.

  1. Add the following entries to your .gitignore file

    • secrets.yaml
    • phue.conf
    • ecobee.conf
    • .vaultCredential
  2. Copy the file to the root directory of your configuration repository and set it as executable.

  3. Create the file .vaultCredential in the root directory of your configuration repository. There should only be one line in the file containing the password used to encrypt your sensitive files. Make sure to apply appropriate permissions to this file (0600) or stricter.

  4. Enable the pre-commit git hook with the following command from the root of your configuration directory:

    • ln -s ../../ .git/hooks/pre-commit

Your configuration repo will now contain an updated version of all credential files each time you make a commit.

1 Like

That’s pretty cool, but just to note that people using Travis for config integrity checks will still need an additional sanitised secrets file.