What is SHA-256?

A cryptographic hash function must satisfy three properties: preimage resistance (given a hash, it is infeasible to find the original input), second preimage resistance (given an input, it is infeasible to find a different input with the same hash), and collision resistance (it is infeasible to find any two distinct inputs that produce the same hash). SHA-256 satisfies all three and remains unbroken since its publication by NIST in 2001.

SHA-256 produces a 256-bit output regardless of input size — hashing a single character and hashing a gigabyte file both produce a 32-byte digest. The avalanche effect ensures that changing even one bit of the input produces a completely different hash with no discernible pattern. This makes SHA-256 useful for integrity verification: store the hash of a file, and later re-hash the file to confirm it has not been modified.

SHA-256 is not an encryption algorithm — hashing is a one-way operation with no corresponding decryption. It is used as a building block in many cryptographic constructions: HMAC-SHA256 for message authentication, PBKDF2-SHA256 for key derivation, certificate fingerprints, blockchain proof-of-work, and digital signature schemes. Its widespread adoption across protocols and platforms makes it one of the most important primitives in modern cryptography.

How Vaulted uses SHA-256

SHA-256 is the hash function underlying Vaulted's key derivation process. When a passphrase is used to protect a secret, PBKDF2 applies HMAC-SHA256 iteratively (100,000 rounds) to derive a wrapping key from the passphrase and a random salt. SHA-256 is also the hash function used in the HMAC computation that generates status page tokens, ensuring that only the secret creator can access the status page for their secret.