Blog Details

Introduction

Records, compliance and IT teams spend a lot of effort moving data into long-term storage — tape libraries, WORM vaults, optical media, cold object storage — to satisfy retention mandates that can run for years or decades. But moving data is only half the job. The harder question arrives later: can you prove the archive is exactly what it was on the day it was archived? A data archival certificate answers that. It is a short, readable document that captures the integrity state of an archive at the moment of archival — the archive's identity, its retention period, and a per-file list of cryptographic hashes — sealed with an overall SHA-256 value. This article explains what the certificate contains, who needs it, and how e-Dex (formerly Hash Calculator) generates one on your own machine, fully offline.

What a Data Archival Certificate Is

A data archival certificate makes a precise claim: that a defined set of files was archived from a named source system to a named archival system on a recorded date, and that the cryptographic hashes of those files at that moment are the ones reproduced in the certificate. It is a point-in-time integrity snapshot, not a description of who can access the data or whether the media can still be restored. Its purpose is to give you a trustworthy baseline: a recorded set of hashes you can compare against at any future point in the retention window to confirm nothing has drifted, degraded or been tampered with.

What's Inside the Certificate

The certificate is built from real, structured fields. It records the archive identity — the case or archive reference and the organisation responsible. It captures the retention and archival metadata: the archival system (for example, an LTO-9 tape plus WORM vault), the retention period (such as eight years), the archival date, and the source system the data came from. It then carries a per-file annexure, listing each file by name, size and verification status, with its SHA-256 hash printed beneath it. A summary line totals the files, bytes, matches and mismatches, and a verification block states how many files were verified, failed or errored. Finally a declaration sets out, in plain language, that the data was archived from the identified source to the recorded system, that the hashes were computed with e-Dex, and that the stated verification result reflects the integrity of the archived data. The whole document is bound together by an integrity SHA-256 seal computed over its sealed content, so the certificate itself is tamper-evident.

Where It's Used

The certificate fits any situation where you must show that retained data is intact. Legal hold teams attach it to preserved datasets so the held material can be shown to be unchanged from the day it was secured. Long-term retention programmes use it to satisfy statutory or regulatory retention mandates with a verifiable record rather than a bare assertion. WORM and cold-storage operators issue it as an attestation that what was written to immutable or offline media matches a recorded set of hashes. And records management functions use it as the integrity layer of their archive catalogue, so that any archive can be re-checked on demand. It pairs naturally with our backup integrity certificate for compliance, which covers the related question of whether a backup copy matches its source.

How e-Dex Generates It

In e-Dex you open the Certificate Generator and choose the Data Archival template. You fill in the archive fields — archive reference, organisation, source system, archival system, retention period and archival date — and add the files that make up the archive. e-Dex computes each file's hash, builds the annexure and summary, and produces the certificate with its SHA-256 seal. Where you need stronger assurance, you can apply a PAdES digital signature using a Digital Signature Certificate, and attach an RFC-3161 trusted timestamp that fixes the exact time the certificate was produced. You then export the finished document as a PDF for your records. The key benefit comes later: to re-validate the archive years on, you simply re-hash the archived files with e-Dex and compare the results against the annexure. If every value matches, the archive is provably intact; if any differs, you have located the file that changed. For the signing and timestamping mechanics in detail, see our guide to signing and timestamping a forensic certificate with PAdES and RFC-3161.

Verifying Offline

Everything that matters about the certificate can be checked without an internet connection. The integrity seal is reproducible: a verifier recomputes SHA-256 over each line of the certificate's sealed content, followed by a newline, and confirms the result equals the stated hash — proving the certificate text has not been altered. The archive itself is checked the same way: re-hash each file and compare against the annexure value. Because e-Dex runs entirely on your own Windows machine, none of this exposes your archived data to a network. Only the optional RFC-3161 timestamp step contacts an external authority. This offline-first design is the same one behind our evidence integrity certificate, which proves an individual set of files is unaltered.

Frequently Asked Questions

What is a data archival certificate?
A data archival certificate is a one-page document that records the identity of an archive, its retention period and archival date, the source and destination systems, and a per-file annexure of cryptographic hashes, sealed with an overall SHA-256 value. It captures the integrity state of the archived data at the moment it was archived, so you can re-verify years later that nothing has changed.

Does a data archival certificate need an internet connection?
No. e-Dex runs fully offline on your own Windows machine. Hashing the archived files, computing the SHA-256 seal and generating the certificate all happen locally, so your data never leaves your computer. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

How do I re-verify an archive years after it was created?
Open the original data archival certificate and re-hash the archived files with e-Dex using the same algorithm recorded in the annexure. Compare each computed hash against the value printed on the certificate. If every hash matches, the archive is intact; if any value differs, that file has changed or degraded. You can also recompute the SHA-256 seal over the sealed content to confirm the certificate itself is unaltered.

Is a data archival certificate proof that data can still be restored?
No. A data archival certificate is an integrity attestation, not a recoverability test. It proves the archived files match the hashes recorded at the moment of archival, which means they have not been altered. It does not test whether your tape, optical media or cold-storage system can still be read or restored. Recoverability should be checked separately through periodic restore tests.

Which hash algorithms does e-Dex use for archival?
e-Dex supports SHA-256, SHA-512 and BLAKE3, all modern collision-resistant algorithms. The annexure records the per-file hash, and the certificate as a whole is sealed with a SHA-256 value computed over its sealed content. Recording a strong algorithm at archival time means the same algorithm can be used to re-verify the files for the full length of the retention period.

Conclusion

A data archival certificate turns "we archived this" into a verifiable fact: these files, archived from this source to this system on this date, carried exactly these hashes — and you can prove it again at any point in the retention period by re-hashing and comparing. For records, compliance and IT teams under long-term retention mandates, it is the integrity backbone of the archive. You can produce one in minutes, offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free and start certifying your archives are intact from the moment they are stored.