Every Git commit contains a reference to its parent commit. This simple mechanism creates an unbreakable chain of history — if anyone modifies a past commit, all subsequent hashes change, making tampering immediately detectable.
LogVault applies this same principle to audit logs. Here's how it works.
The Problem: Silent Modifications
Traditional audit logs are just database rows. Anyone with write access can:
- Delete inconvenient entries
- Modify timestamps to backdate activity
- Insert fake records to cover tracks
Without cryptographic integrity, you're trusting the database — and anyone who can access it.
❌ The Compliance Gap: SOC 2 Type II requires tamper-evident audit trails. A simple
DELETE FROM audit_logsquery breaks this requirement entirely.
The Solution: Hash Chaining
Each audit event in LogVault contains three cryptographic fields:
interface AuditEvent {
id: string;
action: string;
timestamp: string;
// ... other fields
// Cryptographic integrity
signature: string; // HMAC of event data
prev_hash: string; // Hash of previous event
chain_hash: string; // Hash of this event (used by next event)
}How It Works
- Event arrives: LogVault receives a new audit event
- Signature created: HMAC-SHA256 signs the event data
- Chain linked:
prev_hashis set to the previous event'schain_hash - Hash computed:
chain_hash = SHA256(prev_hash + signature + event_data)
Event 1 Event 2 Event 3
┌──────────┐ ┌──────────┐ ┌──────────┐
│ action │ │ action │ │ action │
│ data │ │ data │ │ data │
│ │ │ │ │ │
│ prev: ── │────▶│ prev: ── │────▶│ prev: ── │
│ hash: A1 │ │ hash: B2 │ │ hash: C3 │
└──────────┘ └──────────┘ └──────────┘
Why Tampering Is Detectable
If an attacker modifies Event 2:
- Event 2's
chain_hashchanges (different input = different hash) - Event 3's
prev_hashno longer matches Event 2's new hash - Chain is broken — verification fails immediately
The attacker would need to recompute every subsequent hash, but they can't because:
- They don't have the HMAC signing key
- LogVault's verification endpoints would detect the mismatch
Verification in Practice
LogVault provides three levels of verification:
1. Dashboard Verification
The chain status banner shows real-time integrity:
┌─────────────────────────────────────────────────────────┐
│ ✓ Chain Verified: 1,247 events · Last check: 2 min ago │
└─────────────────────────────────────────────────────────┘
2. SDK Verification
Programmatic verification for CI/CD pipelines:
import { LogVault } from '@logvault/sdk';
const logvault = new LogVault({ apiKey: 'lv_...' });
// Verify entire chain
const result = await logvault.verifyChain();
if (result.isValid) {
console.log('✓ All events verified');
} else {
console.error('✗ Chain broken at:', result.firstInvalidEvent);
}from logvault import LogVault
client = LogVault(api_key="lv_...")
# Verify chain
result = client.verify_chain()
if result.is_valid:
print("✓ All events verified")
else:
print(f"✗ Chain broken at: {result.first_invalid_event}")3. Event-Level Proof
Get cryptographic proof for a specific event:
const proof = await logvault.getEventProof('evt_abc123');
console.log({
eventHash: proof.chain_hash,
previousHash: proof.prev_hash,
signature: proof.signature,
position: proof.chain_position,
totalEvents: proof.total_events,
});Handling Legacy Events
When you first start using LogVault, existing events won't have hash chains. LogVault handles this gracefully:
| Event Type | prev_hash | chain_hash | Status |
|---|---|---|---|
| Legacy | null | null | Unverifiable |
| First chained | null | abc123... | Chain start |
| Subsequent | abc123... | def456... | Fully verified |
ℹ️ Migration Path: New events are automatically chained. Legacy events remain accessible but show as "unverifiable" in the dashboard.
Performance Considerations
Hash computation adds minimal overhead:
- SHA-256: ~500ns per event on modern CPUs
- HMAC-SHA256: ~1μs per event
- Chain lookup: O(1) with proper indexing
At 10,000 events/second, hash chaining adds less than 10ms total latency.
Comparison: Hash Chain vs. Blockchain
You might wonder: "Why not use a blockchain?"
| Feature | Hash Chain | Blockchain |
|---|---|---|
| Verification speed | Milliseconds | Seconds to minutes |
| Storage cost | ~200 bytes/event | Kilobytes/event |
| Decentralization | Not required | Core feature |
| Compliance | Sufficient | Overkill |
| Complexity | Low | High |
Hash chains provide the same tamper-evidence guarantees that compliance requires, without the overhead of consensus mechanisms or distributed storage.
✅ Right Tool for the Job: Blockchains solve decentralized trust. Audit logs need centralized trust with tamper evidence. Hash chains are the right abstraction.
Conclusion
Hash chaining transforms audit logs from "database rows we hope nobody modifies" to "cryptographically verifiable history." The same technique that makes Git reliable makes your audit trail trustworthy.
Key takeaways:
- Every event links to its predecessor — creating an unbreakable chain
- Tampering is mathematically detectable — not just policy-based
- Verification is fast — milliseconds, not minutes
- Legacy events coexist — no big-bang migration required
Ready to implement tamper-evident audit logs? Get started with LogVault — hash chaining is built in.