← Back to Blog

Cryptographic Hashing in Go: SHA-256, HMAC, and bcrypt

April 1, 2026 3 min read By CodeTidy Team

The Hidden Dangers of Insecure Hashing

Have you ever stopped to think about the security implications of storing sensitive data, like passwords or financial information, in your Go application? We've all been there - rushing to meet a deadline, we might overlook the importance of proper cryptographic hashing. But the consequences can be severe. A single mistake can lead to a data breach, compromising your users' trust and your reputation.

Table of Contents

  • Understanding Cryptographic Hashing in Go
  • SHA-256: A Secure Hashing Algorithm
  • HMAC: Keyed-Hash Message Authentication
  • bcrypt: Adaptive Password Hashing
  • File Hashing Example
  • Key Takeaways
  • FAQ

Understanding Cryptographic Hashing in Go

Cryptographic hashing is a one-way process that transforms input data of any size into a fixed-size string of characters, known as a message digest or hash value. In Go, we have several libraries at our disposal to handle cryptographic hashing, including crypto/sha256, crypto/hmac, and golang.org/x/crypto/bcrypt. Let's dive into each of these libraries and explore their use cases.

SHA-256: A Secure Hashing Algorithm

SHA-256 (Secure Hash Algorithm 256) is a widely used cryptographic hash function that produces a 256-bit (32-byte) hash value. It's commonly used for data integrity and authenticity verification. Here's an example of how to use SHA-256 in Go:

import (
	"crypto/sha256"
	"fmt"
)

func main() {
	data := []byte("Hello, World!")
	hash := sha256.Sum256(data)
	fmt.Printf("%x\n", hash)
}

In this example, we create a new SHA-256 hash object using the sha256.Sum256 function and pass in our input data. The resulting hash value is printed to the console.

HMAC: Keyed-Hash Message Authentication

HMAC (Keyed-Hash Message Authentication Code) is a type of MAC (Message Authentication Code) that uses a cryptographic hash function and a secret key to authenticate messages. In Go, we can use the crypto/hmac package to create an HMAC object. Here's an example:

import (
	"crypto/hmac"
	"crypto/sha256"
	"fmt"
)

func main() {
	key := []byte("secret key")
	data := []byte("Hello, World!")
	hmac := hmac.New(sha256.New, key)
	hmac.Write(data)
	hash := hmac.Sum(nil)
	fmt.Printf("%x\n", hash)
}

In this example, we create a new HMAC object using the hmac.New function, passing in the SHA-256 hash function and our secret key. We then write our input data to the HMAC object using the Write method and retrieve the resulting hash value using the Sum method.

bcrypt: Adaptive Password Hashing

bcrypt is an adaptive password hashing algorithm that's designed to be slow and computationally expensive, making it more resistant to brute-force attacks. In Go, we can use the golang.org/x/crypto/bcrypt package to create a bcrypt object. Here's an example:

import (
	"golang.org/x/crypto/bcrypt"
	"fmt"
)

func main() {
	password := []byte("mysecretpassword")
	hash, err := bcrypt.GenerateFromPassword(password, 12)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println(string(hash))
}

In this example, we create a new bcrypt object using the bcrypt.GenerateFromPassword function, passing in our password and a cost factor (in this case, 12). The resulting hash value is printed to the console.

File Hashing Example

Let's say we want to hash the contents of a file using SHA-256. We can use the crypto/sha256 package to create a hash object and read the file contents into it. Here's an example:

import (
	"crypto/sha256"
	"fmt"
	"io"
	"os"
)

func main() {
	file, err := os.Open("example.txt")
	if err != nil {
		fmt.Println(err)
		return
	}
	defer file.Close()

	hash := sha256.New()
	_, err = io.Copy(hash, file)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Printf("%x\n", hash.Sum(nil))
}

In this example, we open the file example.txt and create a new SHA-256 hash object. We then read the file contents into the hash object using the io.Copy function and retrieve the resulting hash value using the Sum method.

Key Takeaways

  • Always use a secure hashing algorithm, such as SHA-256 or bcrypt, to store sensitive data.
  • Use HMAC to authenticate messages and ensure data integrity.
  • Use bcrypt for adaptive password hashing.
  • Always verify the integrity of data by comparing the expected hash value with the actual hash value.

FAQ

Q: What's the difference between SHA-256 and HMAC?

A: SHA-256 is a cryptographic hash function that produces a fixed-size hash value, while HMAC is a type of MAC that uses a cryptographic hash function and a secret key to authenticate messages.

Q: Why should I use bcrypt for password hashing?

A: bcrypt is an adaptive password hashing algorithm that's designed to be slow and computationally expensive, making it more resistant to brute-force attacks.

Q: How do I verify the integrity of data using SHA-256?

A: To verify the integrity of data, compare the expected hash value with the actual hash value using a secure comparison function.

Try These Tools

Hash Generator

Generate MD5, SHA-256, and SHA-512 hashes

Password Generator

Generate secure random passwords

AI agent tools available. The CodeTidy MCP Server gives Claude, Cursor, and other AI agents access to 60+ developer tools. One command: npx @codetidy/mcp