Home Assistant
Support for full disk encryption #1267
Replies: 3 comments 1 reply
-
|
I would go one step further and make encryption the default. That way it gets the the full attention and support it needs to be seamless. Too many Linux distros treat disk encryption as a half-baked add-on and thus don't fully incorporate it, particularly at startup. |
Beta Was this translation helpful? Give feedback.
-
|
Yes I agree! Should be default with two options: Have they key stored somewhere for Auto unlock so it can just be used to safely discard the disk by removing the key or optionally only boot after it has been entered via a simple web server / interface or ssh. |
Beta Was this translation helpful? Give feedback.
-
|
Hi, I have opened a similar but not identical thread with specific suggestions and a workaround that will certainly be of interest to you as well. I would appreciate your support: https://github.com/orgs/home-assistant/discussions/1567#discussion-9100490 Bes regards bhuge |
Beta Was this translation helpful? Give feedback.
-
|
Auto unlocking without user interaction is totally doable by combining Secure Boot and TPM2, at least on devices that have these features. Given that both are required by Windows 11, almost all modern Mini PCs will have support for this. Different types of devices should also support this in some other form by now. The current lack of encryption made me run the Home Assistant OS is a VM instead of just using e.g. the Home Assistant Green. It also made me wonder for how long a product like the Home Assistant Green will even be legal in the EU, given the rather strict regulations. The wording of e.g. the Cyber Resilience Act (CRA) seems rather definitive: "In short, these mandates mean that data collected and stored on an IoT device must be encrypted and its integrity must be verifiable." https://www.cyberresilienceact.eu/2025/10/23/disk-encryption-challenges/ There also seems to be a deadline attached to this: "The CRA entered into force on 10 December 2024. It will be fully applicable as of 11 December 2027 with some provisions starting to apply earlier [...]" https://digital-strategy.ec.europa.eu/en/policies/cra-summary Does anyone know if this really means that full disk encryption is required for e.g. the Home Assistant Green by end of 2027 (at the latest)? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Describe the feature
I would love for Home Assistant OS to have a way to fully encrypt the disk (unlocked via SSH) or alternatively support encrypting all Home Assistant Data including installed add-ons and /share /media etc directories.
Use cases
Home Assistant OS offers support for a lot of different kind of addons - some can store highly sensitive information like Paperless, Nextcloud etc. Most devices these days like our phones and laptops offer disk encryption by default today when using Home Assistant as a hub for certain services it leaves data vulnerable to stolen devices and other situations where people have access to the device.
Current workarounds
So far I used Home Assistant Supervised on a Debian with an encrypted boot disk. Now that this install method is no longer supported it is no longer possible to have an encrypted Home Assistant OS install on a Raspberry Pi with full add-on support.
Anything else?
No response
Beta Was this translation helpful? Give feedback.
All reactions