Home Assistant 2026.4 Set to Bring in Improved, Modernized Encryption for Users' Backups

The team behind the home automation platform Home Assistant has announced an upcoming new feature, due to land early next month: modernized encryption, formally audited to ensure privacy and security.

"Backups are one of those quiet, powerful features: when they work, you don't notice them, but when you need them, they're everything," say Erik Montnémery and Stefan Agner in a joint announcement ahead of the launch of Home Assistant 2026.4 next week. "We've evolved Home Assistant's built-in backup format over the years to keep it safe and secure, especially when backing up to remote locations. As modern cryptography has advanced, we needed to build a system to match. SecureTar v3 is a purpose-built library for creating and reading password-protected Home Assistant backups with modern cryptography and safer, stronger defaults."

Home Assistant has used encryption to protect its backups — which can include keys for authenticating with application programming interfaces (API) for everything from heating and ventilation to home security systems — since its initial launch. A report from security researcher Sam Gleske, however, triggered a rethink: the AES-128 cryptosystem used to protect the backups wasn't up to modern standards, leading to the creation of SecureTar v3.

The third-generation cryptosystem swaps to the memory-hard Argon2id algorithm for password-based key derivation, making it harder to brute-force, and uses XChaCha20-Poly1305 via the libsodium secretstream API for encryption and authentication. The result: improved security, privacy, and anti-tampering measures, which will be enabled by default in Home Assistant 2026.4.

To ensure the new approach isn't a misstep, the Open Home Foundation funded an audit of SecureTar v3 via security engineering specialist Trail of Bits. While this found two informational and one medium-severity flaw — a potential side-channel attack and faulty parsing logic allowing for an insecure fallback to older SecureTar versions, plus a supply-chain risk in the project's GitHub Actions workflow — all three have since been resolved.

"Existing backups are still secure, as Home Assistant's generated passphrase is strong," Montnémery and Agner say of those concerned about their existing backups. "That said, for extra security, you can regenerate the encryption key in your backup settings (use the 'Change encryption key' option at the bottom of the backup settings page)."

The new backup system will be enabled by default in Home Assistant 2026.4, due for release on April 1; Gleske has independently developed a tool that allows for standalone decryption of SecureTar v2 and v3 backups, released under the permissive Apache 2.0 license on GitHub. The SecureTar v3 source code is also available on GitHub under the same license, with more information found in Home Assistant's blog post.