OpenHAB config - securing sensitive information

I’m running the latest OpenHAB version.
Is there a way to put some kind of constants or placeholders in the config files that get replaced by the sensitive information needed there?
Every framework I’ve worked with in my professional dev life did have some kind of secure storage. Is there a way to do this with OpenHAB? This way versioning in git would be a no brainer without the hassle of ansible or some other automation/CI solution for securing sensitive stuff.
And no matter how you feel about it sensitive information is nothing to be checked in VCS. (never!)

I’m looking forward finding a solution for that problem.


OH does not support handling secrets in a secure way.
The next best option is to use something like git-crypt (I use that myself) to encrypt files and folders with sensitive information.

On my side I git in a private repo, but for sure a secure storage would be a better approach. IIRW I saw such a discussion once in ESH Dev forum, but it has not been implemented as of today

Mmmh ok. That would be a great new feature.

I’m not fine with pushing passwords for services to vcs even in a private repository. I don’t want to soften my security best practices. :grinning: So for the time being ansible is the way to go for me then.

Indeed, that’s my view: “hiding in plain sight” :grin:

I hate to compare OH with HA, but that’s something they have more or less fixed a long time ago. The way it is implemented there is quite simple: have special file(s) with only the secrets and make references (in an ‘include-like’ style) to these secrets. But given the fact that I sense a tendency to discourage (not disable) text-based configurations moving to OH3, I’m not sure how that will translate to handling those kind of secrets.

1 Like

Well to be honest text based configuration can only be dropped if the visual configuration is veeeeeery good. :grinning: And I don’t see that coming any time soon. Allowing all special cases in a visual way ends up in a mess of ui like IOBroker.

So it would be awesome to have a professional solution for handling sensitive information. In the web development area it is as simple as setting the secrets in a .env file and having simple placeholders in the configuration files. Plain simple and secure.

Don’t worry. :sunglasses: