feat: store alarm code during integration setup (optional)

[lelelic]

Is your feature request related to a problem? Please describe. Hi, thank you for your work. I'm trying to create some automation using secrets file to save the alarm code but I can't. From what I've read here, the Home Assistant UI can't handle the !secret function, so my automations don't work.

Describe the solution you'd like I was reading around that other integrations with alarms allow you to save the code during the init of the integration and in that case you can use the !secret file. What do you think? In this case there would no longer be the need to pass the code during automation because the integration would already know it.

Additional context I understand that by doing this way, someone who enters Home Assistant could deactivate the alarm without knowing the code..

[palazzem]

Hello @lelelic, and thank you very much for reaching out with your feedback! I understand your challenge with the secrets file, as I was facing the same issue. The concerns I have are the same as those you already shared, which are:

1. Anyone with access to Home Assistant can deactivate your alarm, meaning your house is only as safe as Home Assistant is.
2. Other integrations can scan your configuration to retrieve both the username/password and the code.

Regarding point (1), I'm not completely comfortable because Home Assistant does not undergo regular security auditing, or at least I'm not aware of any such audits. This doesn't mean it's unsafe, but it implies that it may or may not be secure. Assuming Home Assistant is secure at its core, the way it is configured by users might compromise this security, thus nullifying the safety the alarm provides (e.g., HA username/password are easy to guess).

For point (2), it may be a non-issue, but in a world where many users install non-official integrations (like this one), I want to ensure that our users are not exposed to any potential surface attacks that require them to be cautious about how they use Home Assistant.

To summarize, if I add this feature, it really depends on how carefully users manage their Home Assistant configuration to ensure your home alarm remains safe. Generally, I prefer not to place the burden on users regarding how to use the software.

That said, we may do some progress on your issue as I don't want to ignore your request. You mentioned that other integrations with alarms allow us to save the code during the initialization. If you have a bit of time to do a search, can you point me to some examples? It's enough that you post integrations links, so I can dive into the code! Based on that I can see if there is a safer way to store all credentials (username/password/code) so that, at least, they are not accessible to other integrations. Thank you very much in advance!

[palazzem]

Hello @lelelic ! I just discovered that Home Assistant natively supports what you asked. I don't know exactly how it works, and neither if it's safe or not to use it, but you may take a look at their documentation/code and see if it solves the problem.

Here you can find some links:

1. Pull Requests with implementation details
2. Architecture discussion

To enable it you need version 2024.6 or newer, then you can go to your alarm panel settings and fill the default code field:

As you were asking a way to store the code, it looks like this change does exactly that so I'm closing the issue as resolved. Of course, feel free to reopen the issue if you think your request is not entirely solved!

Thank you very much!

[lelelic]

Hi Emanuele! Sorry if I didnt respond on your reply but I was very busy in the last weeks! Thank you for sharing the new features of Home Assistant 2024.6. It should be what I was looking for! Daniele