Home Assistant Backups Get a Major Cryptography Overhaul — And an Independent Audit to Back It Up
Backups are one of those features you set up and hope you never truly need — but when you do need them, nothing else matters more. Starting with the Home Assistant 2026.4 release on April 1, 2026, your backups will automatically use a completely modernized encryption system called SecureTar v3. The best part? You don’t need to do anything. New backups will start using the stronger format without any manual migration steps on your end.
So what actually changed, and why should you care? The previous backup formats (v1 and v2) used AES-128 encryption paired with a key derivation method that, while functional, no longer reflected the current state of the art in cryptography. To be clear, backups generated with the auto-generated high-entropy passphrases were not easy to crack — the team calculated a brute-force attack would take longer than a human lifetime to succeed. But because advanced users could supply their own weaker passphrases, and because the underlying cryptographic primitives had room to improve, the team decided a full overhaul was the right call.
What SecureTar v3 Actually Changes
The new format brings three meaningful improvements under the hood:
Modern key derivation with Argon2id. This replaces the older, simpler key derivation step. Argon2id is a memory-hard algorithm, which means brute-force attacks become dramatically more expensive — attackers need far more hardware resources to even attempt cracking a password-protected backup.
Authenticated encryption via XChaCha20-Poly1305. Encryption is now handled through the libsodium secretstream API, which gives you both confidentiality (nobody can read your backup data) and integrity (nobody can silently tamper with it without detection). This is a genuinely well-regarded construction in modern cryptography, and it’s great to see it land here.
Safer parsing and defaults. Previously, corrupted backup headers could be silently misread as valid legacy backups. That behavior is now fixed — corrupt data raises an error instead of failing in a confusing and potentially dangerous way. New backups default to v3 automatically.
Trail of Bits Audited the Work — and Confirmed the Fixes
What makes this update especially notable is that the Home Assistant team didn’t just ship the new code and call it done. They commissioned Trail of Bits, a well-respected security engineering firm, to independently audit SecureTar v3. The audit surfaced three findings:
A timing side-channel in a validation comparison — informational in severity, since the value in question is stored openly in the backup file header, but fixed anyway so security tooling stops flagging it. An insecure fallback to legacy protocol versions when parsing corrupted headers — also informational, now resolved so corrupted headers raise an error cleanly. And a supply-chain risk in the GitHub Actions workflow — rated medium severity — where workflow steps weren’t pinned to specific commit hashes and had overly broad permissions. This has been tightened up with pinned hashes and reduced permissions.
Critically, Trail of Bits confirmed in a follow-up review that all three findings were fully resolved. That kind of external validation is something the community should genuinely appreciate — it’s not cheap, and it demonstrates a real commitment to doing this right rather than just announcing improvements.
What You Need to Do
Honestly, very little. Once you update to Home Assistant 2026.4, new backups you create will automatically use SecureTar v3 encryption. There are no breaking changes for restoring existing v1 or v2 backups — backward compatibility is maintained for reading older formats. Just make sure you’re using the auto-generated high-entropy passphrase rather than a custom weak one, as that’s always been the safest approach regardless of encryption version.
This is exactly the kind of foundational work that doesn’t make for flashy feature screenshots but matters enormously for anyone storing backups remotely or in the cloud. The fact that it was funded through the Open Home Foundation — supported in part by purchases of official Home Assistant and ESPHome products — is a good reminder that investing in the ecosystem pays off in concrete, practical ways like this.