So far I’ve managed to get Home Assistant OS set up on VirtualBox, with several sensors and automations going. The documentation on everything is wonderful, and I just wanted to say thank you to the community as a whole for all the work everyone has done!
I’m thinking about setting up external access so my presence detection works, and so I can access HA when away from home. I do have some security concerns though. I found this video about port forwarding, and securing with SSL using DuckDNS with Let’s Encrypt.
My question is, is this sufficient security?
I also saw this page about configuring “secrets” for the plaintext configuration.yaml file, but my file does not appear to contain any passwords in it, and in fact contains very little data with no sensitive information.
Is this step about configuring secrets required if SSL / Let’s Encrypt are being used?
I would strongly suggest using Nabu Casa, especially if you’re not super-confident in what you’re doing when it comes to exposing ports, etc. It’s as simple of a setup process as could be and very inexpensive plus you’re then directly supporting the development of HA.
This doesn’t really provide any security. It just results in encrypted traffic between your client device and Home Assistant. The only security benefit would be, if you would access Home Assistant from a public network, where someone else could sniff your credentials while logging in.
That being said, it’s still good practice to encrypt the traffic. Just be aware, that it usually does not increase resistance against attacks.
Nabus Casa would be a better alternative. Or setting up a VPN. If you really want to expose, make sure you use strong passwords, and ideally turn on multi factor authentication in Home Assistant.
You can also use cloudflare and expose your HA that way. You can play with some security settings on cloudflare after - adding extra authentication to access HA (may have issues with companion app?), blocking countries you don’t want to allow access from, etc.
In essence, if you don’t have IP restriction, anyone can guestimate the password and login.
If you enable 2fa, this would add an additional layer of protection.
Or, you access your smart home server with VPN (actually you become part of home network) but you might have some trouble with google assistant/alexa integrations.
