introduce hash-based redaction

api.go

@@ -85,6 +85,32 @@ type SafeFloat = i.SafeFloat
 // SafeRune aliases rune. See the explanation for SafeString.
 type SafeRune = i.SafeRune
 
+// HashValue is a marker interface to be implemented by types whose
+// values should be hashed when redacted, instead of being replaced
+// with the redaction marker.
+type HashValue = i.HashValue
+
+// HashString represents a string that should be hashed when redacted.
+type HashString = i.HashString
+
+// HashInt represents an integer that should be hashed when redacted.
+type HashInt = i.HashInt
+
+// HashUint represents an unsigned integer that should be hashed when redacted.
+type HashUint = i.HashUint
+
+// HashFloat represents a floating-point value that should be hashed when redacted.
+type HashFloat = i.HashFloat
+
+// HashRune represents a rune that should be hashed when redacted.
+type HashRune = i.HashRune
+
+// HashByte represents a byte that should be hashed when redacted.
+type HashByte = i.HashByte
+
+// HashBytes represents a byte slice that should be hashed when redacted.
+type HashBytes = i.HashBytes
+
 // RedactableString is a string that contains a mix of safe and unsafe
 // bits of data, but where it is known that unsafe bits are enclosed
 // by redaction markers ‹ and ›, and occurrences of the markers
@@ -173,3 +199,11 @@ type StringBuilder = builder.StringBuilder
 func RegisterSafeType(t reflect.Type) {
 	ifmt.RegisterSafeType(t)
 }
+
+// EnableHashing enables hash-based redaction with an optional salt.
+// Hash markers (‹†value›) will be replaced with hashes instead of being fully redacted.
+// When salt is nil, hash markers use plain SHA1.
+// When salt is provided, hash markers use HMAC-SHA1 for better security.
+func EnableHashing(salt []byte) {
+	m.EnableHashing(salt)
+}

interfaces/interfaces.go

@@ -158,6 +158,61 @@ type SafeValue interface {
 	SafeValue()
 }
 
+// HashValue is a marker interface to be implemented by types whose
+// values should be hashed when redacted, instead of being replaced
+// with the redaction marker.
+//
+// This allows correlation between log entries while maintaining privacy.
+// The hash is computed during the Redact() call, not at log creation time.
+//
+// Types implementing this interface should alias base Go types.
+// The hash is applied to the string representation of the value.
+type HashValue interface {
+	HashValue()
+}
+
+// HashString represents a string that should be hashed when redacted.
+type HashString string
+
+// HashValue makes HashString a HashValue.
+func (HashString) HashValue() {}
+
+// HashInt represents an integer that should be hashed when redacted.
+type HashInt int64
+
+// HashValue makes HashInt a HashValue.
+func (HashInt) HashValue() {}
+
+// HashUint represents an unsigned integer that should be hashed when redacted.
+type HashUint uint64
+
+// HashValue makes HashUint a HashValue.
+func (HashUint) HashValue() {}
+
+// HashFloat represents a floating-point value that should be hashed when redacted.
+type HashFloat float64
+
+// HashValue makes HashFloat a HashValue.
+func (HashFloat) HashValue() {}
+
+// HashRune represents a rune that should be hashed when redacted.
+type HashRune rune
+
+// HashValue makes HashRune a HashValue.
+func (HashRune) HashValue() {}
+
+// HashByte represents a byte that should be hashed when redacted.
+type HashByte byte
+
+// HashValue makes HashByte a HashValue.
+func (HashByte) HashValue() {}
+
+// HashBytes represents a byte slice that should be hashed when redacted.
+type HashBytes []byte
+
+// HashValue makes HashBytes a HashValue.
+func (HashBytes) HashValue() {}
+
 // SafeMessager is an alternative to SafeFormatter used in previous
 // versions of CockroachDB.
 // NB: this interface is obsolete. Use SafeFormatter instead.

internal/markers/constants.go

@@ -27,6 +27,8 @@ const (
 	EscapeMark  = '?'
 	EscapeMarkS = string(EscapeMark)
 	RedactedS   = StartS + "×" + EndS
+	HashPrefix  = '†'
+	HashPrefixS = string(HashPrefix)
 )
 
 // Internal variables.
@@ -35,6 +37,6 @@ var (
 	EndBytes         = []byte(EndS)
 	EscapeMarkBytes  = []byte(EscapeMarkS)
 	RedactedBytes    = []byte(RedactedS)
-	ReStripSensitive = regexp.MustCompile(StartS + "[^" + StartS + EndS + "]*" + EndS)
-	ReStripMarkers   = regexp.MustCompile("[" + StartS + EndS + "]")
+	ReStripSensitive = regexp.MustCompile(StartS + HashPrefixS + "?" + "[^" + StartS + EndS + "]*" + EndS)
+	ReStripMarkers   = regexp.MustCompile("[" + StartS + EndS + HashPrefixS + "]")
 )

internal/markers/hash.go

@@ -0,0 +1,124 @@
+// Copyright 2025 The Cockroach Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package markers
+
+import (
+	"crypto/hmac"
+	"crypto/sha1"
+	"encoding/hex"
+	"sync"
+)
+
+/*
+	Hash function implementation notes:
+
+	We use SHA-1 because it provides a good balance of performance and output size
+	for the log correlation use case. SHA-1 is fast and produces compact hashes,
+	making it well-suited for high-throughput logging scenarios.
+
+	When a salt is provided via EnableHashing(), we use HMAC-SHA1 which provides
+	additional security properties and domain separation.
+
+	The hash output is truncated to 8 hex characters (32 bits) to keep log output
+	concise while still providing sufficient collision resistance for typical logging
+	workloads.
+*/
+
+// defaultHashLength is the number of hex characters to use from the SHA-1 hash.
+// 8 hex chars = 32 bits = ~4.3 billion unique values.
+// This provides a good balance between collision resistance and output brevity.
+// For typical logging scenarios with fewer unique sensitive values per analysis window,
+// this collision risk should be acceptable. If not, we can make this configurable in the future.
+const defaultHashLength = 8
+
+var hashConfig = struct {
+	sync.RWMutex
+	enabled bool
+	salt    []byte
+}{
+	enabled: false,
+	salt:    nil,
+}
+
+// EnableHashing enables hash-based redaction with an optional salt.
+// When salt is nil, hash markers use plain SHA1.
+// When salt is provided, hash markers use HMAC-SHA1 for better security.
+func EnableHashing(salt []byte) {
+	hashConfig.Lock()
+	defer hashConfig.Unlock()
+	hashConfig.enabled = true
+	hashConfig.salt = salt
+}
+
+// IsHashingEnabled returns true if hash-based redaction is enabled.
+func IsHashingEnabled() bool {
+	hashConfig.RLock()
+	defer hashConfig.RUnlock()
+	return hashConfig.enabled
+}
+
+// hashString computes a truncated hash of the input string.
+// Uses HMAC-SHA1 if salt is set, otherwise plain SHA1.
+// Must only be called when hashing is enabled (IsHashingEnabled() == true).
+func hashString(value string) string {
+	hashConfig.RLock()
+	salt := hashConfig.salt
+	hashConfig.RUnlock()
+
+	var h []byte
+	if len(salt) > 0 {
+		mac := hmac.New(sha1.New, salt)
+		mac.Write([]byte(value))
+		h = mac.Sum(nil)
+	} else {
+		hasher := sha1.New()
+		hasher.Write([]byte(value))
+		h = hasher.Sum(nil)
+	}
+
+	fullHash := hex.EncodeToString(h)
+	if len(fullHash) > defaultHashLength {
+		return fullHash[:defaultHashLength]
+	}
+	return fullHash
+}
+
+// hashBytes computes a truncated hash of the input byte slice.
+// Uses HMAC-SHA1 if salt is set, otherwise plain SHA1.
+// Must only be called when hashing is enabled (IsHashingEnabled() == true).
+func hashBytes(value []byte) []byte {
+	hashConfig.RLock()
+	salt := hashConfig.salt
+	hashConfig.RUnlock()
+
+	var h []byte
+	if len(salt) > 0 {
+		mac := hmac.New(sha1.New, salt)
+		mac.Write(value)
+		h = mac.Sum(nil)
+	} else {
+		hasher := sha1.New()
+		hasher.Write(value)
+		h = hasher.Sum(nil)
+	}
+
+	fullHash := make([]byte, sha1.Size*2)
+	_ = hex.Encode(fullHash, h)
+
+	if len(fullHash) > defaultHashLength {
+		return fullHash[:defaultHashLength]
+	}
+	return fullHash
+}