I was just backing up my hub and was just wonder how secure is this backup if got into the wrong hands? Can someone else restore my backup onto their hub if they had the file or is my Hubitat password needed before its allowed to be restored? I know crazy ,but in today's world that almost anything is possible , just got me being neurotic, After all what can they really do, turn on a light of mine lolo
The backup would restore but there would be no devices. Z Wave device pairings are stored in the hub and not in the backup. ZigBee devices are similarly paired with the hub. The backup is just your configuration, rules etc.
Well now I can sleep tonight lolol. Thanks so much for clearing that up. So just rules and configurations , got it. I did check the community before asking but I guess I'm the only nut in the group to even think about this. Thanks for your quick response.
Actually, the database has enough information on your Zigbee devices that if the database gets restored to the same hub, it should work (with Z-Wave, the actual pairings are stored on the chip that isn't backed up with Hubitat's current tools). I haven't actually tried this to say for sure, and on a different hub where the "coordinator" (hub) has a different Zigbee MAC, I don't think it would work.
However, it's a lot easier than Z-Wave in either case--the database contains the Zigbee devices' MAC addresses and will match them back up when they get re-paired, so having to do that is the worst possible outcome. Automations should remain intact (the device does get a new DNI assigned and I've seen this cause odd problems on rare occasions, but it's generally not an issue). For Z-Wave, you'll get new node IDs and will have to re-do everything (unless you have an external stick and back it up with third-party tools)--both pairing and automations--in either case.
I would assume any notification keys, cell phone numbers, lock codes could be extracted from a backup. Are you backing up to a nas or location that you could encrypt the file? Or Worried about the transport of the file?
Rule based firewalls in bridge mode on interior networks, between subjects, are great solutions for these exact security concerns. I use Watchguard firewall appliances for interior firewalls. Relatively easy to configure. Lower end models are fairly inexpensive and perfect for this. Check out M70 or equivelent
Presently backing up to Google drive unless I need to take security measures to store my Hubitat backup
I don't like cloud storage for a few reasons. You could at least encrypt the back file before you upload.
If you are using Google Drive sync to a local folder you could pull a Hubitat backup to folder1, and then use a batch encrypt and copy to folder2 for Google Sync to pick up and send it on its way.
Excellent idea! I never was fond of Goggle drive security either and my reasoning for initially questioning Hubitat's backup file security. Thanks again
The backup file is already encrypted. So I don’t think that you need to double down on the encryption
Hmmm.... While it may be encrypted, I am guessing every Hubitat Hub holds the encryption keys necessary to decrypt and restore the backup file. So....all a user would need to do is have a Hubitat Hub and restore it from there, correct?
I am not too worried about it personally, however if someone did accomplish this, they would have the OAUTH keys necessary to mess with some of my cloud connected accounts.
2 Likes
Very valid point
And potentially some apps store passwords in preferences that could be printed out to log, etc.
*edit: WOW, sorry for the thread necromancy. I didn't realize this was so old.
1 Like
