Blog Details

Introduction

A backup that ran successfully and a backup whose data is actually intact are not the same thing. The job log says the copy completed; it does not say every byte arrived unchanged. The same gap appears in every data migration: the records moved, but are the destination files truly identical to the source? For IT ops, MSPs, auditors and migration leads, the trustworthy answer is no longer a verbal assurance — it is documented proof. A backup integrity certificate closes that gap. It records cryptographic hashes for the source and the backup or restored copy, compares them file by file, and prints a plain verdict you can hand to an auditor. This article explains why compliance increasingly asks for that proof, where existing tools stop short, and how e-Dex (formerly Hash Calculator) produces the certificate on your own machine.

Why Compliance Needs a Backup Integrity Certificate

Frameworks and audits no longer accept "the backup ran" as evidence — they want to see that data was not altered. ISO 27001 control sets and SOC 2 examinations look for evidence that backup and restoration controls actually work, not just that a schedule exists. Data-protection regimes such as the DPDP Act and GDPR expect demonstrable integrity in how personal data is handled and retained. Disaster-recovery testing is more credible when each test produces a dated artifact rather than a checkbox. And data-migration sign-off is far cleaner when the project can show, on paper, that the destination is byte-identical to the source. In every one of these cases, a backup integrity certificate turns an internal claim into a portable, reviewable record — useful when you need to prove data is unaltered over its full lifecycle.

The Gap in Existing Tools

Most teams already own capable tools — and that is exactly why the gap is easy to miss. Backup platforms such as Veeam and similar products verify recoverability internally and do excellent work at capturing and restoring systems, but they are not designed to hand you a portable, signed certificate you can drop into an audit pack. At the other end, free integrity utilities such as hashdeep or command-line checksum tools will compute and compare hashes, yet they produce raw output with no attestation, no verdict framing and nothing a reviewer can sign. e-Dex is built to fill precisely that space: a lightweight layer that produces a signed certificate, working alongside whatever backup software you already run. It does not compete with your backup tool — it documents the integrity of what that tool produced.

What e-Dex's Backup Validation Tab Does

The new Backup Validation tab is purpose-built for this job. You point it at two folders — the original Source and the Backup or Restored copy — and e-Dex hashes every file in both, then compares them file by file. The result is an explicit PASS / FAIL verdict supported by four counts that tell the whole story at a glance: matched (identical in both), changed (present in both but different), missing (in the source but not the backup) and extra (in the backup but not the source). A reviewer does not have to read two columns of hex or trust a summary line — the counts and the verdict state exactly what happened.

Step by Step

Using it takes a few clicks. Open the Backup Validation tab. Pick your Source folder and your Backup or Restored folder. Choose the hash algorithm — SHA-256 is the sensible default, with SHA-512 and BLAKE3 available where you want them. Click Validate, and e-Dex hashes and compares both locations. Review the verdict and the per-file table to see which files matched, changed, went missing or appeared as extra. When you are satisfied, click Generate to produce the backup integrity certificate, optionally PAdES-signed with a Digital Signature Certificate and RFC-3161 timestamped so the exact moment of validation is sealed against an independent Time-Stamping Authority.

Integrity Attestation vs Recoverability Testing

It is worth being precise about what the certificate claims. e-Dex proves the files are byte-identical to the source and certifies that result — that is integrity attestation. It does not boot the backup, mount it as a system or run a full restore — that is recoverability testing, and it belongs to a restore drill. The two are complementary, not interchangeable: a restore drill shows the backup can come back to life, while the integrity certificate shows the data in it actually matches what you backed up. Strong programs do both; e-Dex gives you the documented, signed half that most toolchains leave undocumented. The underlying logic is the same file-integrity verification that powers an evidence integrity certificate, applied to whole folders.

Use Cases

The Backup Validation tab fits wherever you need to document that data did not drift. Nightly-backup validation can confirm last night's copy is intact before anyone relies on it. Data-migration sign-off compares source against destination so the project can close with evidence, not optimism. Disaster-recovery tests gain a dated, signed artifact for each run. Long-term archival integrity can be re-checked years later against the original hash values. And across all of them, the certificate becomes reusable audit evidence that an external reviewer can verify independently rather than take on faith.

A Note on Assurance

e-Dex documents integrity from the hash values it records; it is a tool, not a guarantee of compliance. The certificate states what the comparison found and the algorithms used, but the signatory remains responsible for the correctness of every fact on it and for whether the certificate is sufficient for its intended purpose — an audit, a migration sign-off or a DR test record. Whether a given framework or examiner accepts it depends on your controls and context, not on the tool. This article is informational and is not legal or compliance advice; confirm what your own obligations require.

Frequently Asked Questions

What is a backup integrity certificate?
A backup integrity certificate is a short, portable document that records the result of comparing a source data set against its backup or restored copy, file by file, using cryptographic hashes. It states a PASS / FAIL verdict together with the counts of matched, changed, missing and extra files, so an auditor or compliance reviewer can see at a glance whether the backup is byte-identical to the source. e-Dex generates this certificate locally and can optionally PAdES-sign and RFC-3161 timestamp it.

How do I prove a backup is unaltered for an audit?
Point e-Dex's Backup Validation tab at the original Source folder and the Backup or Restored folder. It hashes every file in both locations and compares them, producing a PASS / FAIL verdict and a per-file table of matched, changed, missing and extra files. You then generate a backup integrity certificate that documents those hash values and the result. The certificate is the portable evidence you attach to your audit pack; it is documentation of integrity, not an opinion that you have passed any particular standard.

Does e-Dex replace my backup software?
No. e-Dex does not take backups, schedule jobs or restore systems. It is a lightweight verification layer that works alongside whatever backup tool you already use. Your backup software handles capture and recoverability; e-Dex independently hashes the source and the backup or restored copy, confirms they are byte-identical and produces a signed certificate that documents the result.

What is the difference between integrity validation and recoverability testing?
Integrity validation proves the files are byte-identical to the source by comparing their hashes, and e-Dex certifies that result. Recoverability testing proves the backup can actually be restored and the system boots and runs. The two are complementary: e-Dex does not boot or restore the backup, so it does not replace a restore drill, but it does give you documented, signed proof that the data in the backup matches the source.

Does e-Dex need internet or a cloud account?
No. e-Dex runs fully offline on your own Windows machine with no cloud account required. Hashing the source and backup folders, comparing them and generating the backup integrity certificate all happen locally, so your data never leaves your environment. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

Conclusion

A successful backup job is a start; provable integrity is the standard auditors and migration leads now expect. The backup integrity certificate turns "the backup ran" into a one-page, verifiable fact — these files are byte-identical, shown by a PASS / FAIL verdict and matched, changed, missing and extra counts, and sealed with an optional signature and timestamp. It sits alongside your existing backup and DR tooling, adding the documented proof those tools leave out. You can produce one in minutes, fully offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free and start certifying that your backups and migrations are exactly what they should be. For background on the certificate format, see our guide to electronic evidence certificates.