How Boundary validates data integrity in the external object store
This feature requires HCP Boundary or Boundary Enterprise
When a Boundary worker uploads a BSR file to AWS S3 through the Boundary AWS plugin, the plugin calculates the SHA256 checksum of the contents of the BSR file and attaches this information to the object that is uploaded to S3. The SHA256 checksum value attached to the S3 object is returned to the Boundary worker. The Boundary worker calculates the SHA256 checksum value of the BSR file's content from local disk and compares it to the plugin value.
This process ensures that no tampering of BSR files occurs between the worker, plugin, and S3. The SHA256 checksum value generated by the plugin is not a part of the BSR file structure and should not be confused with how Boundary cryptographically verifies the BSR directory's contents.
For more information, refer to the overview of configuring session recording.