I was reading a post about a security issue on another home automation platform and was going to provide a few links in the thread as people often read these threads and look for advice on how to ensure they are secure. I found my own past post on the issue lacking and the HA docs somewhat lacking or the information was really dispersed. This is my attempt to put a guide together and collect the information in one location.
Note: I am far from a security expert and I have no formal training in this area. The information in this guide is what I have gathered from my own use of Home Assistant and my research to secure it and other web services on my network. I am expecting the community to correct me where I am wrong or where the guide could be improved and will do my best to keep it up to date.
This guide will focus on securing a Home Assistant (HA) installation exposed to the greater internet. There are a number of ways to accomplish this but they all expose your HA front end/User Interface (UI) to anyone with an internet connection.
This guide will cover the core of HA and access to the HA Frontend/User Interface. There are other areas to be considered but I have a feeling this guide is going to be big enough as is without going into securing other services that can be exposed via HA.
I don’t intend this to be a how-to guide on every item discussed, for the most part there are really good guides developed on most of these topics by the community. I will link to them where I am aware of them and encourage you to share a link for a guide you find useful.
This guide will also primarily focus on providing remote access via what I believe are the most commonly used methods Nabu Casa’s Remote UI, and opening/forwarding a port and utilizing duckDNS and Let’s Encrypt. I know there are a ton of other options, including alternate DNS providers, utilizing a reverse proxy and using CloudFlare. I just don’t have experience with those personally to provide the input. I would love if someone could add that content and I will link to it in the directory below.
- Why Do I Need To Secure My Home Assistant Instance?
- Securing Your Home Assistant Instance (Basics)
- Securing Your Home Assistant Instance (Remote Access)
- Security Checkups (Test your security and test it often)
- Securing Your Network (Later)
- Useful Links
No single item in this guide will secure your instance. Security requires layers of security tools and methodologies to prevent a security breach. The Swiss Cheese Model is a good example. Every layer of security can have a hole (vulnerability) but when stacked and utilized together most issues are stopped and hopefully their are still layers of prevention left. As an example, if you encrypt your traffic, try to hide your instance from searches and always install the latest security patches on your systems but don’t set a password for your HA instance, all the other layers put in place are negated as the instant someone locates your instance they are let right in. Thanks Finity