Home Assistant 2026.4 fixes the backup encryption gap most users missed – Automated Home

Home Assistant has long been one of the most flexible and privacy-focused smart home platforms. It connects with countless devices, automates routines, and gives homeowners complete control over their data.

But as with any complex platform, the quiet features that run behind the scenes often go unnoticed until they fail or need attention. One of these features is Home Assistant’s backup system. Backups protect sensitive data like device credentials, API keys, and automation routines.

Although Home Assistant backups were encrypted by default, the project said its earlier key-derivation step no longer met modern cryptographic expectations. That finding helped drive the move to SecureTar v3 in Home Assistant 2026.4.

With the release of Home Assistant 2026.4, the platform addresses this overlooked gap. The update introduces SecureTar v3, a modernized encryption system audited by security specialists to ensure stronger privacy and integrity for user backups.

While the change might seem subtle to casual users, it represents one of the most significant security upgrades to Home Assistant in years.

Keep reading to see how SecureTar v3 strengthens your backups and why this update is a must for every smart home setup.

Why were backups a concern?

Backups in Home Assistant have always been encrypted with high-entropy passphrases. These passphrases made brute-force attacks practically impossible, meaning users’ data was reasonably secure even under older systems.

Little‑known fact: The built‑in backup system now supports multiple backup locations through backup agents, including Google Drive, OneDrive, and Synology DSM.

However, earlier Home Assistant backup formats used AES-128 encryption alongside a simpler key-derivation step that the project said no longer met modern standards.

Security researcher Sam Gleske highlighted that while default backups remained secure, manually generated passwords or legacy encryption primitives could be vulnerable.

This triggered a re-evaluation of Home Assistant’s approach. The goal was simple: create a system that matched modern cryptography expectations and offered safer defaults for both new and existing backups.

How SecureTar v3 improves backup security

SecureTar v3 introduces two major improvements: a stronger password-based key derivation function and a modern encryption method.

Home Assistant now uses Argon2id, a memory-hard algorithm, to derive encryption keys. This means that brute-force attacks become far more costly and time-consuming, protecting users even if a password is weak.

Encryption itself is handled by XChaCha20-Poly1305 through the libsodium secretstream API. This combination not only encrypts data but also authenticates it.

In practical terms, this ensures that any tampering or corruption in the backup is immediately detectable, eliminating the risk of silent data compromise.

Little‑known fact: Before the latest refinements, some users reported non‑standard tar contents inside backup archives (making manual extraction difficult without specific tools)

The new system also introduces safer parsing defaults. Older versions could misinterpret corrupted backups as valid files, a minor but avoidable risk. With SecureTar v3, any anomalies trigger an error instead of a fallback to older encryption methods, further strengthening overall security.

Why was an audit essential

Home Assistant commissioned the security firm Trail of Bits to perform a focused audit of SecureTar v3. Independent verification ensured that the new encryption system was not only modern but also implemented correctly.

The audit uncovered three issues: a minor timing side-channel in validation comparison, an insecure fallback to legacy backups, and a medium-severity supply-chain risk in GitHub Actions workflows.

None of these flaws posed immediate danger, and all were resolved before the 2026.4 release. Trail of Bits confirmed that SecureTar v3 followed best practices for encryption, authentication, and key derivation.

This level of scrutiny shows Home Assistant’s commitment to user security, especially for features that many users take for granted.

What users need to do

For most Home Assistant users, little action is required. Any new encrypted backup created after updating to 2026.4 will use SecureTar v3, and existing encrypted backups remain secure because Home Assistant’s generated passphrase is strong and high-entropy.

That said, users seeking extra assurance can regenerate the encryption key through the backup settings page.

This is particularly recommended if a manually chosen password was used in previous backups. Home Assistant’s developers have made this process straightforward to encourage best practices without adding complexity.

Users who rely on the Home Assistant CLI for backups, using the ha backup command or actions such as hassio.backup_partial, should ensure that any user-supplied passwords are strong. Even if older backups remain secure, choosing a high-entropy passphrase for future backups adds extra protection.

Why this update matters for smart home security

Smart homes today store far more sensitive data than they did even a few years ago. Beyond simple device control, Home Assistant manages security systems, automation routines, and integrations that may include API keys for third-party services.

A breach of a backup could potentially expose all of this information. By modernizing encryption and implementing safer defaults, Home Assistant reduces risk across the platform.

Users no longer need to worry about outdated cryptographic algorithms undermining the security of their backups. With SecureTar v3, even attackers with substantial computing resources would face severe obstacles in attempting to access backup contents.

Interestingly, this isn’t the only recent update reshaping how Home Assistant feels in daily use. While 2026.4 focuses on strengthening security behind the scenes, the earlier 2025.11 release tackled one of the platform’s most frustrating usability issues by making automation targeting far more precise and intuitive.

If you’ve ever struggled with selecting the right devices or areas, it’s worth exploring how that update simplifies the entire process and removes much of the guesswork from building automations.

A historical perspective

Backups in Home Assistant have evolved over time. Early versions used AES-128 encryption with simple key derivation methods.

This was sufficient at the time, but cryptography standards have changed. Developers have responded by integrating stronger algorithms and improved authentication mechanisms, reflecting the platform’s proactive approach to privacy and security.

The shift from AES-128 to XChaCha20-Poly1305 with Argon2id is not just a technical upgrade. It signals a philosophy of continuous improvement. Security is iterative, and Home Assistant’s team has demonstrated that even features users rarely interact with are regularly assessed and modernized.

Community involvement and transparency

SecureTar v3 is fully open source, with source code available on GitHub under the Apache 2.0 license. This transparency allows independent researchers and developers to review the implementation, verify security claims, and even contribute improvements.

Home Assistant’s decision to fund the audit through the Open Home Foundation reflects a broader commitment to community trust. Financial support from merchandise sales and foundation partnerships helps fund expert security reviews, which ultimately protect every user of the platform.

Recommended steps for users

To fully benefit from the 2026.4 update, users should first ensure their system is running the latest version of Home Assistant. Once updated, any new encrypted backup will use SecureTar v3, and users who want additional assurance can regenerate their encryption key.

Users who create backups with the ha backup CLI command or with actions such as hassio.backup_full and hassio.backup_partial should make sure any user-supplied passwords are strong and unique. Following that guidance helps reduce the risk of weak credentials undermining backup security.

Little‑known fact: Some users report their backups to cloud destinations (e.g., Home Assistant Cloud) only keep the most recent backup due to built‑in storage limits.

Looking ahead

Home Assistant 2026.4 highlights an important lesson for all smart home users: security is never finished. Features like backup encryption can quietly protect vast amounts of sensitive information, but only if they evolve alongside technology.

By modernizing its backup system, Home Assistant strengthens the foundation of user privacy while setting an example for the smart home industry.

The update also illustrates how open-source platforms can combine transparency, community oversight, and professional auditing to deliver stronger security. Users gain confidence not just from the tools themselves, but from knowing that experts have independently verified the implementation.

Bottom line

Home Assistant 2026.4 may seem like a routine update, but its improvements to backup encryption are significant. SecureTar v3 replaces older cryptographic methods with Argon2id key derivation and XChaCha20-Poly1305 encryption, providing both confidentiality and integrity.

Audited by Trail of Bits, SecureTar v3 addressed all three findings identified during the review, including two informational issues and one medium-severity supply-chain risk. For users, this means minimal effort for maximum security. Existing backups remain readable and protected, while new backups benefit from modernized encryption by default.

The update underscores Home Assistant’s commitment to safeguarding sensitive smart home data, quietly ensuring that what runs in the background remains trustworthy.

• Home Assistant 2026.4 updates the backup system to SecureTar v3 for modernized encryption.
• SecureTar v3 uses Argon2id for memory-hard key derivation, improving brute-force resistance.
• Backups are encrypted and authenticated with XChaCha20-Poly1305 to prevent tampering.
• An independent audit by Trail of Bits identified three issues, including timing validation, legacy fallback behavior, and a medium-severity supply-chain risk, and Home Assistant says all three were resolved.
• Existing backups remain secure, but users can regenerate encryption keys for extra protection.
• Backups created with the ha backup CLI command or with hassio.backup_full and hassio.backup_partial should use strong, high-entropy passwords when users supply their own credentials.
• The update strengthens privacy and security for sensitive smart home data.
• SecureTar v3 source code is open-source and available on GitHub under Apache 2.0.
• The Open Home Foundation funded auditing and improvements to ensure platform-wide trust.
• Security is iterative; Home Assistant 2026.4 ensures backups meet modern standards while staying user-friendly.

This article was made with AI assistance and human editing.

If you liked this, you might also like: