Using a secret manager instead of hardcoding credentials

Hi all!

In software development it is common practice to use a secret manager like Vault instead of hardcoding (exposing) credentials to code/things files. Does openHAB support any type of secret manager? Searching for “secret manager” only brings up topics about openHAB cloud. :pensive:

1 Like

Nope, it doesn’t :cry:
And yes, I would also like some vault / secret manager concept for openHAB :thinking:

Open an issue on GitHub to get that considered as a feature.

Openhab 3 I hear is bringing new security features, not sure what ones but it is a goal to improve that area.

@darkspirit510 Do you use Hashicorp Vault? If so, do you have an existing home implementation? Or where would you run it? On your OH2 machine, Docker, or a separate server? Just curious for my own research. I’ve used Vault for work and it’s great.

One premise of openHAB is local control wherever possible with no Internet dependencies.

A cloud based service that core functionality would depend on does not interest many of us.

I totally see your point, @Bruce_Osborne. Most credentials in my openHAB configuration are just used in my home. But I was thinking about adding Apple devices to do specific actions (like press button to find my phone). The credentials in this case are valid outside of my home. You could also apply this to things like CalDAV binding or telegram publishing (okay, this is limited issue). Those are at least the things that come to my mind.

1 Like

I do not want to give my credentials to a cloud service just to have them disappear. These people who bought this device new in 2017 or subsequent will now have a useless device.

Vault can be hosted on premise though and does not need to be in the public cloud. Like @darkspirit510, I also have some devices that require credentials for devices that are connected to the internet that I need to control. I have those all on a separate VLAN (NoT) vs my local devices on VLAN (IoT) that do not need internet access.

1 Like

I’ve got a bit of a complicated setup for my openHAB, but I have a repo that contains my config files that are also templates. When changes happen to these files, it triggers a job to run that rebuilds the configs and injects the secrets. It’s worked really well for me so far.