secrets.yaml is to prevent accidentally sharing passwords/api keys when sharing config files. It is secure only in the sense that it should only ever be accessible locally.
If you want encryption, look into implementing keyring or credstash. (see here)
Unfortunately I couldn’t tell you. I looked into it but ended up just using secrets.yaml as I am only storing API keys (something that can be regenerated) and local passwords only (which means the attacker would have to physical access to my computer/network to use them anyways).
There is no point in not using plain text. You can secure the file from casual viewing through file permissions. Beyond that, for Home Assistant to be able to use the secrets, it has to be able to decrypt it automatically. For that to work, it has to have the decryption built in, which anybody can then use to decode the files.
Secure the host, and you don’t have a problem. If you haven’t secured the host, well, then you’ve got a problem regardless
There’s a few threads here, but I’d summarise it as:
Run it on a dedicated system if possible
Keep your system up to date
Ensure that the home directory for the Home Assistant user (usually homeassistant), and everything under it don’t have world write, ideally no world access at all (sudo chmod -R o-wrx ~homeassistant)
Don’t set a password, or add a shell, for the Home Assistant user
Ensure your password is randomly generated, and long (12+ characters), and you don’t use it anywhere else (use a password manager)
Enable the IP ban option, and set the failed logins to something that works for you. I’d whitelist your LAN IP range, and set the failed logins to something low if you’re using a password manager (one if you’re paranoid, 2 or 3 otherwise)
Consider running a VPN for remote access, so that the only thing accessing your system remotely is for OwnTracks HTTP, Google Assistant, etc.
Now, I don’t set a password for the front end, or use an SSL certificate inside Home Assistant. I hand those over to an NGINX proxy, so that my “internal” access is open, and my remote access requires a username and a password. That’s a trade off, I’ve added some complexity, but made it harder to brute force/guess the authentication details.
I’m new to HA and trying to figure out the most secure options. Are you saying that the password to access is stored in plain text so all the other efforts don’t matter?
It looks like the keyring option has been removed from the docs. Is there a better way to do this now? It still looks like plain-text secrets.yaml is the only method described in the docs.
As long as your network isn’t hacked, or you don’t publish secrets.yaml to GitHub, there’s no security issue here.
Hacking the wifi isn’t the only attack vector. Someone could physically break into my house and steal the Raspberry Pi. Or a malicious add-on could upload secrets.yaml. Storing secrets in plain-text extends the scope of what an attacker could do, and is generally considered a bad practice. I understand it may be a low priority, but I think it would be a good idea to use encryption in the !secrets config system.
HA has to be able to decrypt that, without your input, to be able to use it.
At that point, given that HA is open source, any malicious addon/integration could also do that. Any attacker who broken in and stole the Pi could also do that.
You’ve gained nothing but the illusion of security.
If there was an interface built into to the !secrets pattern then the community could add support. Things like 1password local resolution via connect-api
And then Home Assistant will have credentials to access your password manager. So any one with access to the host running HA will be able to get those 1password credentials too. That is far more dangerous than plain text secrets.yaml. It is like putting your 1password credentials in plaintext in secrets.yaml. Does that sound safe to you?