Blog Details

Introduction

Anyone who hands a database extract to someone else eventually faces the same question: is this export exactly what it was when you produced it? A DBA shipping a snapshot to an auditor, a compliance team submitting a dataset to a regulator, a litigant producing transaction records as evidence, a migration lead capturing a baseline before a cutover — all of them need a clean way to show the data has not been altered or corrupted in transit. A database integrity certificate is that proof. It records a cryptographic hash of the exported database file, a verification result, and a sealed declaration on one readable page. This article explains what it contains, when to use it, and how e-Dex (formerly Hash Calculator) produces one entirely on your own machine.

What a Database Integrity Certificate Is

It is important to be precise about the claim. A database integrity certificate does not certify a live, running database. A live database changes with every transaction, so its bytes are never stable enough to hash. What the certificate actually certifies is a database export or dump file — a frozen snapshot you produced with a tool like mysqldump, pg_dump, or a scheduled backup job. Once that file exists, its contents are fixed, and a hash over it becomes a fingerprint that anyone can recompute later. The certificate binds that fingerprint to a description of where the export came from and how it was made, so a recipient can confirm the file they hold is byte-for-byte the one you certified.

What's Inside the Certificate

e-Dex builds the certificate from real, verifiable fields rather than free text. A typical database integrity certificate carries:

Database and export identity — the source system and version (for example MySQL 8.0), the database name, the export method (such as mysqldump --single-transaction), the record count and the date window the snapshot covers, so the reader knows precisely what was captured.
Dump file(s) annexure with hashes — each exported file is listed by name and size with its SHA-256 value and a per-file status, plus a summary line counting files, matches, mismatches and errors.
Verification result — an explicit tally of how many files verified, failed or errored, so the outcome is visible at a glance.
Integrity SHA-256 seal — a hash computed over the certificate's own content lines, so the document itself is tamper-evident; change one character and the seal no longer matches.
Declaration — a signed statement that the export was produced from the identified system by the recorded method, that the hashes were computed with e-Dex, and that the verification result accurately and completely reflects the integrity of the files.

Where You'd Use One

The certificate fits any moment where a database extract must be demonstrably intact. Audit snapshots — freeze a year-end transaction table and certify it so the auditor can prove later that the figures were not touched after hand-off. Regulatory data submissions — attach the certificate to a dataset filed with a regulator so both sides share a fixed reference hash. Dispute and litigation evidence — produce transaction records with a hash that backs their integrity if they are later challenged. Migration baselines — capture and certify the source database before a migration or upgrade, giving you a trusted reference to reconcile against once the cutover is done.

How e-Dex Generates It

The workflow is short. First, export the database to a file using your normal tooling — a SQL dump, a CSV extract, or a backup archive. Second, hash that file in e-Dex, which computes its SHA-256 fingerprint and records the size. Third, open the Certificate Generator, pick the Database Integrity template, and fill in the export identity fields (system, database name, method, record count, window). e-Dex assembles the annexure and verification result, then computes the integrity SHA-256 seal over the document. Optionally sign and timestamp it — apply a PAdES digital signature with a Digital Signature Certificate on a USB token, and attach an RFC-3161 trusted timestamp — and finally export the PDF. Only the timestamp step touches the internet; everything else is local.

Verifying It Offline

Verification is just as simple and works on any Windows machine without a network. Recompute the SHA-256 hash of the dump file and compare it to the value in the annexure — if they match, the export is unaltered since it was certified. You can also re-check the certificate's own integrity seal by recomputing the hash over its sealed content lines; a matching seal confirms the certificate itself has not been edited. Because the proof is a plain cryptographic hash, anyone — auditor, regulator, opposing party or a future colleague — can reproduce the check independently with offline verification of a digital evidence certificate, no trust in e-Dex required.

How It Relates to Other Certificates

The database integrity certificate is a focused member of a family. The broader evidence integrity certificate proves any set of files is unaltered, while the backup integrity certificate for compliance attests that a backup matches its source. The database variant simply tailors the same hashing core to the export-and-dump workflow, capturing database-specific identity such as the system, export method and record count so the snapshot's provenance is clear.

Frequently Asked Questions

Does a database integrity certificate certify a live running database?
No. A database integrity certificate certifies the hash of a database export or dump file — a snapshot frozen at the moment you exported it. A live database keeps changing as transactions are written, so its bytes are never stable enough to hash meaningfully. e-Dex certifies the exported file (for example a mysqldump or pg_dump output), not the live server, and the certificate records the export method and the moment the snapshot was taken.

What is inside a database integrity certificate?
It records the database and export identity (system, name, export method, record count and time window), an annexure listing each dump file with its size and SHA-256 hash, an overall verification result, an integrity SHA-256 seal computed over the certificate's own content, and a signed declaration that the hashes were computed with e-Dex and accurately reflect the integrity of the exported files.

Does e-Dex need an internet connection to certify a database export?
No. e-Dex runs fully offline on your own Windows machine. Hashing the dump file, building the certificate and computing the SHA-256 integrity seal all happen locally, so your database export never leaves your computer. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

How do I verify a database integrity certificate later?
Recompute the SHA-256 hash of the dump file and compare it to the value in the annexure; if they match, the export is unaltered. You can also re-verify the certificate's own SHA-256 seal by recomputing the hash over its sealed content lines. Both checks run offline with e-Dex on any Windows machine, with no internet required.

Which hash does the database integrity certificate use?
The dump files in the annexure and the certificate's own integrity seal both use SHA-256, a modern collision-resistant hash. e-Dex can also compute SHA-512 and BLAKE3 if you need to record additional algorithms alongside SHA-256 for a particular workflow or recipient.

Conclusion

A database integrity certificate turns "trust me, the export is intact" into a one-page, verifiable fact: this dump file carries this SHA-256 hash, and the seal proves the certificate itself is unchanged. It is the right tool for audit snapshots, regulatory submissions, dispute evidence and migration baselines — anywhere a frozen database extract needs defensible proof of integrity. Remember the boundary: e-Dex certifies the exported file, not the live database behind it. You can produce a certificate in minutes, offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free and start certifying your database exports today.