xeor/hass
The secrets are encrypted using a key that is only visible when home-assistant is starting. We do this by
Using gpg to decrypt the secrets.yaml file right before home-assistant is stareted.
The password is read from /etc/init-secrets/secretfile_pw
Container doesnt have SYS_PTRACE capability (as default), so debuggers can't attach to the running python program and get the secret. Only home-assistant can.
Use secret_decrypt
to manually decrypt, or secret_encrypt
to encrypt it.. Set DONT_DELETE_PWFILE=1
if you want to keep the secret pw file..
To start using encryption, you can create the initial encrypted file with:
docker pull xeor/hass