--- title: "HMAC-SHA256 — Glossary | LLMind" description: "A keyed message-authentication code built on SHA-256 — LLMind's default signing primitive for LRFS layers." url: https://llmind.org/glossary/hmac-sha256/ source_format: html --- [← Glossary](https://llmind.org/glossary/) # HMAC-SHA256 **A keyed message-authentication code built on SHA-256 — LLMind's default signing primitive for LRFS layers.** HMAC (Hash-based Message Authentication Code) combines a secret key with a cryptographic hash function — in this case SHA-256 — to produce a fixed-length authentication code. The sender computes the HMAC over a message using a shared secret key; the recipient recomputes the HMAC with the same key and message and compares the result to detect tampering. ## What it is HMAC is symmetric: both producer and consumer hold the same secret key. Unlike asymmetric signing (ed25519), where a public key verifies what a private key signed, HMAC requires shared trust. If you and a colleague both know a password, you can use HMAC to prove to each other that a message came from your team without revealing the password to outsiders. ## Why LLMind uses it LRFS primarily targets private corpora where the producer and consumer of files share a key or password. Symmetric signing with HMAC is fast, widely supported across languages, and straightforward to implement in embedded file metadata. For public verification or untrusted recipients, LRFS also supports ed25519, where the recipient only needs a public key to verify the signature. ## Security properties HMAC-SHA256 is collision-resistant: any change to the message or key produces a completely different authentication code. This makes it suitable for detecting tampering. The key length matters — strong, random keys are essential. In LLMind workflows, the HMAC key is typically derived from a shared secret (e.g., a password) or obtained from a key-management service. ## Related terms - [File checksum](https://llmind.org/glossary/file-checksum/) - [Tamper-evident metadata](https://llmind.org/glossary/tamper-evident-metadata/) - [Signed semantic metadata](https://llmind.org/glossary/signed-semantic-metadata/) ## See also - [Signing scheme (/spec/signing-scheme/)](https://llmind.org/spec/signing-scheme/) - [Security (/security/)](https://llmind.org/security/) - [Learn](https://llmind.org/learn/)