Securing your Home Assistant
Home Assistant runs on your own hardware and does not depend on any cloud service to work, which already removes a large category of risks that come with internet-connected smart home platforms. Even so, there are a few simple steps you should take to keep your Home Assistant secure, especially if you plan to access it from outside your home network.
Checklist
The most important things to do to keep your Home Assistant secure:
- Use a strong, unique password for every account, and turn on multi-factor authentication.
- Centralize sensitive data in secrets (and remember to back them up).
-
Note: Storing secrets in
secrets.yamldoes not encrypt them.
-
Note: Storing secrets in
- Keep your system up to date with each monthly release.
About account security basics
Your accounts are the first line of defense, especially if you access Home Assistant from outside your home network.
- Choose a strong, unique password for every account. A password manager makes this easier.
- Turn on multi-factor authentication for an extra layer of protection.
- Only give administrator access to accounts that need it.
For more information, refer to Authentication.
Methods to enable remote access to Home Assistant
If you want to reach Home Assistant from outside your home network, set up a secure method for remote access rather than exposing it directly to the internet.
-
The easiest and safest option is Home Assistant Cloud. It needs no port forwarding or certificate setup, and your subscription supports the Open Home Foundation, the nonprofit behind Home Assistant, ESPHome, and more open source projects.
-
Another option is to use TLS/SSL via the app Duck DNS integrating Let’s Encrypt.
-
To access your instance remotely, use a VPN or an SSH tunnel. Make sure you forward the required port on your router.
For more instructions on each option, refer to Remote access.
Extras for manual installations
Besides the above, we advise that you consider the following to improve security:
- For systems that use SSH, set
PermitRootLogin noin your sshd configuration (usually/etc/ssh/sshd_config) and use SSH keys for authentication instead of passwords. This is particularly important if you enable remote access to your SSH services. - Lock down the host following good practice guidance, for example:
- Securing Debian Manual (this also applies to Raspberry Pi OS)
- Red Hat Enterprise Linux 7 Security Guide, CIS Red Hat Enterprise Linux 7 Benchmark