The authentication for every integration that requires it, is stored in a JSON structure in the .storage folder and has no encryption. If all addons both first and third party have access to the config folder, then they also have access to the .storage folder, which raises a serious security issue.
If it is encrypted you’ve got two choices:
- HA can auto-decrypt it, in which case it’s not really encrypted since how you decrypt is in the code, readable by anybody. You’ve effectively used ROT13 which provides no actual security. You do however have the illusion of security, and will fool most people most of the time.
- HA can’t auto-decrypt it, and you need to enter the decryption phrase on startup. HA can’t auto start any more.
Only one of these is sensible, the other is smoke and mirrors.
3 Likes
To add to Tinkerer, the access to the system is protected. Once an attacker is able to execute code or access the underlying system that runs Home Assistant, there is nothing we can do anymore.
Add-ons are running in a protected environment. Integrations don’t have this form of isolation and run directly in the core.
Thank you for the responses. I am satisfied with the answers.