How can I reproduce the hash derivation of promtail in order to query for obfuscated data?

57 views Asked by At

I'm using a log aggregation setup where sensitive data that is prepared for submission to loki is obfuscated with Promtail's Hash filter under consideration of a salt value.

I want to dispatch a query with Grafana to look for a specific value that would have been transformed in that way. Therefore I have to calculate what Promtail would derive from that value.

I assume I could reproduce the result on a current Ubuntu Desktop OS like this:

$ echo "Value of interest" | shasum -a 256 -

But how would I have to bring the salt value into the equation?

1

There are 1 answers

0
markalex On BEST ANSWER

As can be seen here functions Hash and Sha2Hash both simply invoke hashing functions over simple concatenation of salt and input value:

"Hash": func(salt string, input string) string {
    hash := sha3.Sum256([]byte(salt + input))
    return hex.EncodeToString(hash[:])
},
"Sha2Hash": func(salt string, input string) string {
    hash := sha256.Sum256([]byte(salt + input))
    return hex.EncodeToString(hash[:])
},

Note that the documentation proposes a configuration where value and salt are swapped, which must be considered if you followed it. Also, it must be ensured that no newline character is added when using echo. Thus, using rhash in this example, the hash can be derived with:

echo -n "Value of interest""salt" | rhash --sha3-256 -

The "inner" consecutive quote characters only serve clarity, they could be omitted.