Most of us have built an audit logging system at some point. The standard playbook is predictable: you hook into Entity Framework Core's SaveChanges interceptor or write a database trigger, capture the OldValues and NewValues as JSON, stamp it with a UserId and Timestamp, and save it to an AuditLogs table.
Management is happy. The compliance checklist is ticked.
But there’s a massive blind spot in this architecture: What happens if the person tampering with the data is the Database Administrator (DBA) or a developer with direct production access?
Traditional audit logs provide history, not proof. If an attacker (or a compromised admin account) alters a financial record, they can easily execute an UPDATE or DELETE on the AuditLogs table to cover their tracks.
To solve this, we need to move from "Trust Me" logging to Zero-Trust, Tamper-Evident logging.
Here is how I built EfCore.TamperEvident, an open-source architectural solution to this exact problem, and the engineering hurdles I had to overcome along the way.
The Core Concept: Cryptographic Hash Chaining
To make a database tamper-evident, we borrow the foundational concept of blockchain: Cryptographic Hash Chains.
Instead of just saving rows independently, every single audit log is mathematically bound to the log that came right before it.
When a record is updated, the system generates a SHA-256 hash that includes the payload (Table, Action, JSON values, Timestamp) PLUS the hash of the previous transaction.
CurrentHash = SHA256(PreviousHash + TableName + RecordId + Action + Payload + Timestamp)
If someone manually alters a past record or deletes a row, the CurrentHash of that row changes. Because the next row relies on the old hash, the chain instantly breaks. A verification engine can scan the table and point out the exact ID where the manipulation occurred.
The 3 Major Engineering Hurdles
Implementing this in a high-traffic CRM or ERP isn't as simple as just hashing strings. I had to solve three critical problems:
- The "Hash Recalculation" Attack (DBA Loophole)
The Problem: Hash chains protect against regular users. But a DBA with full access could alter a record 3 months ago, write a quick script to recalculate all the hashes from that point to the present day, and quietly update the entire AuditLogs table. The chain would look perfectly valid.
The Solution (SMTP Anchoring): The database cannot be trusted to verify itself. Periodically (e.g., every 500 records), the interceptor generates a "Root Hash" and emails it to a secure, external compliance inbox. If a DBA rewrites history, the new hashes in the database will never match the anchors stored in that external inbox.
- The Auto-Increment (IDENTITY) Nightmare
The Problem: When inserting a new entity in EF Core, the Primary Key is usually 0 until it is actually saved to the database. If you generate your hash before saving, your hash uses 0 as the ID. When the verification engine runs later, it reads the actual ID (e.g., 45), recalculates the hash, and it fails.
The Solution: I had to implement a Two-Phase Commit Interceptor. It captures the original JSON states in SavingChangesAsync (Phase 1), lets the database generate the ID, and then safely calculates the hash and saves the log in SavedChangesAsync (Phase 2), all while keeping everything inside a single, atomic database transaction using ConditionalWeakTable to prevent memory leaks.
- Concurrency and Race Conditions
The Problem: If 50 users update the Orders table at the exact same millisecond, they all read the exact same PreviousHash. This creates a chain fork, completely destroying the integrity of the audit trail.
The Solution: Native row-level locking. Before calculating the hash, the interceptor applies a deterministic lock (UPDLOCK in SQL Server, FOR UPDATE in PostgreSQL/MySQL) to a state table. This forces concurrent transactions into a strict, millisecond-level queue without locking the entire database.
Introducing EfCore.TamperEvident
Instead of reinventing the wheel for every project, I packaged this entire architecture into a plug-and-play NuGet library: EfCore.TamperEvident.
It supports SQL Server, PostgreSQL, and MySQL out of the box. You don't need to change any of your business logic. You simply add the tables to your DbContext and register the interceptor:
C#
builder.Services.AddDbContext<MyDbContext>(options =>
{
options.UseSqlServer("...");
options.UseTamperEvidentAudit(audit =>
{
audit.DbProvider = DatabaseProvider.SqlServer;
audit.TrackedOperations = AuditOperation.All;
// Anti-DBA Anchoring
audit.AnchorThreshold = 500;
audit.SmtpHost = "smtp.company.com";
// ... SMTP credentials ...
});
});
Whenever you call _context.SaveChangesAsync(), the library securely builds the hash chain in the background.
If you suspect foul play, you can run the verification engine—passing in the anchor keys from your email—to instantly audit the table:
C#
var verifier = new AuditVerifier(_context);
var result = await verifier.VerifyTableIntegrityAsync("Orders", providedAnchors);
// Output: "SECURITY ALERT: MANIPULATION! The payload of record ID: 847 has been externally modified."
Wrapping Up
Building a system that assumes its own database administrators might be hostile fundamentally changes how you design software. If you are building FinTech, Healthcare (HIPAA), or compliance-heavy enterprise systems, standard audit logs are simply a false sense of security.
I’ve open-sourced the entire project. You can check out the source code, inspect the two-phase commit logic, or drop a star on the repository here:
🔗 [GitHub Repository Link - https://github.com/furkiak/EfCore.TamperEvident]
📦 [NuGet Package Link - https://www.nuget.org/packages/EfCore.TamperEvident/]
I'd love to hear your thoughts on this architecture. How do you currently handle high-integrity audit logging in your systems? Let's discuss in the comments!
Top comments (1)
Elegant solution. Love this