Securing your Home Assistant

Home Assistant runs on your own hardware and does not depend on any cloud service to work, which already removes a large category of risks that come with internet-connected smart home platforms. Even so, there are a few simple steps you should take to keep your Home Assistant secure, especially if you plan to access it from outside your home network.

Checklist

The most important things to do to keep your Home Assistant secure:

• Centralize sensitive data in secrets (and remember to back them up).
  • Note: Storing secrets in secrets.yaml does not encrypt them.
• Keep your system up to date with each monthly release.

Remote access

If you want secure remote access, the easiest option is to use Home Assistant Cloud by which you also support the Open Home Foundation, which develops Home Assistant, ESPHome and much more.

Another option is to use TLS/SSL via the app Duck DNS integrating Let’s Encrypt.

To expose your instance to the internet, use a VPN, or an SSH tunnel. Make sure to expose the used port in your router.

Extras for manual installations

Besides the above, we advise that you consider the following to improve security:

• For systems that use SSH, set PermitRootLogin no in your sshd configuration (usually /etc/ssh/sshd_config) and use SSH keys for authentication instead of passwords. This is particularly important if you enable remote access to your SSH services.
• Lock down the host following good practice guidance, for example:
  • Securing Debian Manual (this also applies to Raspberry Pi OS)
  • Red Hat Enterprise Linux 7 Security Guide, CIS Red Hat Enterprise Linux 7 Benchmark