Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to use checksums to maintain and verify the integrity of your secret's data
when adding and
accessing secret versions.
Think of a checksum as a unique fingerprint for your data. It's a short code generated from the
secret data using the CRC32C algorithm. If even a single bit in your
secret data changes, the checksum also changes. This lets Secret Manager detect any accidental
modifications or corruption.
Secret Manager uses checksums in the following ways:
When you add a secret version:
Secret Manager calculates the CRC32C checksum of your secret data.
This checksum is stored along with the secret data.
When you access a secret version:
Secret Manager returns the secret data along with its checksum.
You can use this checksum to verify that the data you received is exactly the same
as the data stored in Secret Manager.
To ensure that the checksum is compatible with the SecretPayload
structure, the checksum of the secret data must be calculated using the CRC32C algorithm and encoded
as a decimal integer. The SecretVersion
response includes a field indicating whether the server has successfully received and validated this
checksum.
The following example shows how checksums work in Secret Manager:
With secret data stored in a data file, calculate the checksum,
using gcloud storage hash.
Checksum must be converted to decimal format; it is encoded as int64 in SecretPayload proto.
$ gcloud storage hash "/path/to/file.txt" --hex
With secret data passed on the command line, calculate the checksum as follows:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Data integrity assurance\n\nThis page describes how to use checksums to maintain and verify the integrity of your secret's data\nwhen [adding](/secret-manager/docs/add-secret-version) and\n[accessing](/secret-manager/docs/access-secret-version) secret versions.\n\nThink of a checksum as a unique fingerprint for your data. It's a short code generated from the\nsecret data using the CRC32C algorithm. If even a single bit in your\nsecret data changes, the checksum also changes. This lets Secret Manager detect any accidental\nmodifications or corruption.\n\nSecret Manager uses checksums in the following ways:\n\n1. When you add a secret version:\n\n - Secret Manager calculates the CRC32C checksum of your secret data.\n\n - This checksum is stored along with the secret data.\n\n2. When you access a secret version:\n\n - Secret Manager returns the secret data along with its checksum.\n\n - You can use this checksum to verify that the data you received is exactly the same\n as the data stored in Secret Manager.\n\nTo ensure that the checksum is compatible with the [SecretPayload](/secret-manager/docs/reference/rpc/google.cloud.secretmanager.v1#secretpayload)\nstructure, the checksum of the secret data must be calculated using the CRC32C algorithm and encoded\nas a decimal integer. The [SecretVersion](/secret-manager/docs/reference/rest/v1/projects.secrets.versions#SecretVersion.FIELDS)\nresponse includes a field indicating whether the server has successfully received and validated this\nchecksum.\n\nThe following example shows how checksums work in Secret Manager: \n\n### API\n\nThese examples use [curl](https://curl.haxx.se/) to demonstrate using the API. You can generate [access tokens](/iam/docs/creating-short-lived-service-account-credentials) with gcloud auth print-access-token.\nOn Compute Engine or GKE, you must\n[authenticate with the cloud-platform scope](/secret-manager/docs/accessing-the-api#oauth-scopes).\n\nWith secret data stored in a data file, calculate the checksum,\nusing [gcloud storage hash](/sdk/gcloud/reference/storage/hash).\nChecksum must be converted to decimal format; it is encoded as int64 in SecretPayload proto. \n\n```\n$ gcloud storage hash \"/path/to/file.txt\" --hex\n```\n\nWith secret data passed on the command line, calculate the checksum as follows: \n\n```\n$ gcloud storage hash --hex cat \u003c(echo ${SECRET_DATA})\n```\n\nBase64-encode the secret data and save it as a shell variable. \n\n```\n$ SECRET_DATA=$(echo \"seCr3t\" | base64)\n```\n\nInvoke the API using curl. \n\n```\n$ curl \"https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id:addVersion\" \\\n --request \"POST\" \\\n --header \"authorization: Bearer $(gcloud auth print-access-token)\" \\\n --header \"content-type: application/json\" \\\n --data \"{\\\"payload\\\": {\\\"data\\\": \\\"${SECRET_DATA}\\\", \\\"data_crc32c\\\": $CHECKSUM}}\"\n```\n\nWhen the secret version is accessed, the returned\n[SecretPayload](/secret-manager/docs/reference/rpc/google.cloud.secretmanager.v1#secretpayload)\ncontains the data along with its checksum. Following is a sample response: \n\n```gdscript\n{\n \"name\": \"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/secrets/\u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e/versions/\u003cvar translate=\"no\"\u003eVERSION_ID\u003c/var\u003e\",\n \"payload\": {\n \"data\": \"YQo=\",\n \"dataCrc32c\": \"163439259\"\n }\n}\n```\n\nIn the console, when you\n[add a secret version](/secret-manager/docs/add-secret-version),\nthe checksum is automatically calculated when you enter a value for the secret.\n\nSecret versions encrypted with customer-managed encryption keys (CMEK) and\ncreated before July 16, 2021 do not have checksums stored.\n\nWhat's next\n-----------\n\n- Learn how to [set up notifications on a secret](/secret-manager/docs/event-notifications).\n- Learn how to [analyze secrets with Cloud Asset Inventory](/secret-manager/docs/analyze-resources)."]]
